Security

Conference Presentations

Better Security Testing: Using the Cloud and Continuous Delivery
Slideshow

Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing...

Gene Gotimer, Coveros, Inc.
T23 HTML5 Security Testing at Spotify
Slideshow

HTML5 is one of the hottest technologies around right now because HTML5 apps are beautiful, engaging, and can perform important and entertaining functions. With the wide range of devices and platforms to support, the promise of multi-platform support is appealing. 

Alexander Andelkovic, Spotify
Protection Poker: An Agile Security Game
Slideshow

Each time a new feature is added to a product, developers need to consider the security risk implications, find ways to securely implement the function, and develop tests to confirm that the risk is gone or significantly lowered. Laurie Williams shares a Wideband Delphi practice called Protection Poker she's employed as a collaborative, interactive, and informal agile structure for "misuse case" development and threat modeling. Laurie shares the case study results of a software development team at RedHat that used Protection Poker to identify security risks, find ways to mitigate those risks, and increase security knowledge throughout the team. In this session, Laurie leads an interactive Protection Poker exercise in which you and other participants analyze the security risk of sample new features and learn to collaboratively think like an attacker.

Laurie Williams, North Carolina State University
Information Obfuscation: Protecting Corporate Data
Slideshow

With corporate data breaches occurring at an ever-alarming rate, all levels of organizations are struggling with ways to protect corporate data assets. Rather than choosing one or two of the many options available, Michael Jay Freer believes that the best approach is a combination of tools and practices to address the specific threats. To get you started, Michael Jay introduces the myriad of information security tools companies are using today: firewalls, virus controls, access and authentication controls, separation of duties, multi-factor authentication, data masking, banning user-developed MS-Access databases, encrypting data (both in-flight and at-rest), encrypting emails and folders, disabling jump drives, limiting web access, and more. Then, he dives deeper into data masking and describes a powerful data-masking language.

Michael Jay Freer, Quality Business Intelligence
Danger! Danger! Your Mobile Applications Are Not Secure
Slideshow

A new breed of mobile devices with sophisticated processors and ample storage has given rise to sophisticated applications that move more and more data and business logic to devices. The result is significant and potentially dangerous security challenges, especially for location-aware mobile applications and those storing sensitive or valuable data on devices. To counter these risks, Johannes Ullrich introduces and demonstrates design strategies you can use to mitigate these risks and make applications safer and less vulnerable. Johannes illustrates design patterns to: co-validate data on both the client and server; authenticate transactions on the server; and store only authenticated and access-controlled data on the client. Learn to apply these solutions without losing access to powerful HTML5 JavaScript APIs such as those required for location-based mobile applications.

Johannes Ullrich, SANS Technology Institute
Penetration Testing Demystified

Penetration testing is a method of evaluating the security of a system by maliciously attacking it and analyzing its possible weaknesses. Penetration testing uses a suite of tests, generally performed in a gray-box fashion, to attack the system as real attackers would-approaching the system with attacker eyes, knowledge, skills, and tools. Edward Bonver explains why and how penetration testing should be done on any mission-critical system as part of a comprehensive security testing strategy. He describes the factors that influence the success of penetration testing include testing environment readiness, technical information, and the availability of the product teams’ key contacts. You’ll learn the details behind penetration testing, common approaches, testing options, and best practices.

Edward Bonver, Symantec Corporation
Security Testing: Thinking Like an Attacker

Compared to traditional functional testing, security testing requires testers to develop the mindset of real attackers and pro-actively look for security vulnerabilities throughout the software development lifecycle. Using live demos, Frank Kim shows you how to think-and act-like a hacker. Rather than just talking about issues such as Cross Site Scripting (XSS), SQL Injection, and Cross Site Request Forgery (CSRF), Frank shows-live and in color-how hackers abuse potentially devastating defects by finding and exploiting vulnerabilities in a live web application. Find out how attackers approach the problem of gaining unauthorized access to systems. Discover the tools hackers have that you don't even know exist and how you can find critical security defects in your production apps. In this revealing session, you'll learn how to become a better tester and find serious security vulnerabilities in your systems before the bad guys do.

Frank Kim, ThinkSec
Is Open Source Too Open? Tips for Implementing a Governance Program

By next year, 90 percent of large enterprises will include open-source software as business critical elements of their IT portfolios. However, most software development organizations have limited capability to govern the process of selecting, managing, and distributing open-source components-leaving them exposed to unforeseen technical and compliance risks. Larry Roshfeld examines how open-source components-and their dependencies-may expose your company to unforeseen and unnecessary vulnerabilities. He outlines the significant threats to software quality, stability, performance, security, and intellectual property that have occurred using such components. Then, Larry shares an action plan for balancing the risk/reward trade-offs of open-source software in the enterprise. Find out how to ensure that your organization uses only the highest quality open-source components and avoids the common vulnerabilities.

Larry Roshfeld, Sonatype
Testing Application Security: The Hacker Psyche Exposed
Slideshow

Computer hacking isn’t a new thing, but the threat is real and growing even today. It is always the attacker’s advantage and the defender’s dilemma. How do you keep your secrets safe and your data protected? In today’s ever-changing technology landscape, the fundamentals of producing...

Mike Benkovich, Imagine Technologies, Inc.
Security Testing: The Foundations and More

Your organization is doing well with functional, usability, and performance testing. However, you know that software security is a key part of your assurance and compliance strategy for protecting applications and critical data. Left undiscovered, security-related defects can wreak havoc in a system when malicious invaders attack. If you don’t know where to start with security testing and don’t know what you are looking for, this session is for you. Alan Crouch describes how to get started with security testing, introducing foundational security testing concepts and showing you how to apply those security testing concepts with free and commercial tools and resources. Offering a practical risk-based approach, Alan discusses why security testing is important, how to use security risk information to improve your test strategy, and how to add security testing into your software development lifecycle.

Alan Crouch, Coveros, Inc.

Pages

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.