Professional Documents
Culture Documents
www.cigital.com
Dec10
Outline
QA testing vs. Security testing Cigital services Software Security program Security testing Security testing framework
v1.2 Oct09
QA testing Checks that app does what its supposed to do Meets stated business requirements(!) Test cases derived from requirements Positive/negative test cases Test coverage (RTM) Ensure app doesnt break/crash/etc Many unstated requirements Exploratory testing Normal, expected use Corner cases, but within what a user might do
v1.2 Oct09 3
Security testing Checks that app does not do what its not supposed to Requirement is implied not in business requirements. Malicious erroneous user input URL tampering Bypassing Javascript Ensure doesnt break/crash/etc Crash = potential exploit Misuse/Abuse cases Actions system should prevent
v1.2 Oct09 4
Software Security Secure design Secure coding Security testing Continuous integration Software Quality Agile testing Test automation Continuous integration Test process improvement
Dec10
Security scanning platform Security code review Security testing Continuous integration Quality assurance Agile testing Test automation Continuous integration
Dec10
Dec10
v1.2 Oct09
Code review Bug patterns in code Coding defects Quality/Reliability defects Automation HP Fortify Think CheckStyle, PMD Ant, Maven integration
Penetration testing Security test injection Configuration defects Exploit proof-of-concepts Automation IBM Appscan` Think QTP, WinRunner QualityCenter integration
Dec10
v1.2 Oct09
10
Dec10
11
Thank you
Dec10
12