Conference Presentations

Building Secure Applications

The Internet is full of insecure applications that cost organizations money and time, while damaging their reputations when their systems are compromised. We need to build secure applications as never before, but most developers are not now-and never will be-security specialists. By incorporating security controls into the frameworks used to create applications, Tom Stiehm asserts that any organization can imbue security into its applications. Building security into a framework allows highly specialized security experts to create components that maximize your application security profile while reducing the need for your development teams to have specialized application security knowledge. Learn to pick the right places in your framework to insert security controls and then enforce their use. Join Tom to explore real-world security controls he's applied to commonly used application frameworks.

Thomas Stiehm, Coveros, Inc.
Mobile Applications Security

Mobile applications enable millions of users to have more fun, be more productive, and interact with their world in more ways than ever before. Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This diversity of architectures presents a huge challenge to ensure that applications meet security requirements, such as confidentiality and integrity. Targeted at beginners in the mobile development space, Scott Matsumoto introduces the basics of mobile applications-deployment, digital rights management, and the cellular network-and then addresses popular security attack vectors that hackers exploit. Scott explores the mobile threat model you must consider when developing mobile business applications.

Scott Matsumoto, Cigital
Can You Hear Me Now? Yes...and Everyone Else Can Too

Mobile devices-connected to the world through the Internet, web, networks, and messaging-are everywhere and expanding rapidly in numbers, functionality, and, unfortunately, security threats. Not too many years ago, little attention was paid to mobile device security. Now, we hear reports almost daily of phone emails/messages being hacked, apps with worms, phishing via smart devices, and smart device fraud. People often have their records, personal data, and financial records on or accessible by the mobile device. In addition, organizations are using these devices to conduct critical business. Jon Hagar shares and analyzes case histories and examples of mobile application security failures. Based on this analysis, Jon summarizes these attacks and describes how to expose security bugs within these devices.

Jon Hagar, Consultant
Implementing a Security-focused Development Lifecycle

Assaults against digital assets are unquestionably on the rise. If you create applications that handle valuable assets, your code WILL be attacked. In addition to lost revenue and productivity, the consequences of compromised systems can include loss of trust, a tarnished reputation, and legal problems. Much like quality assurance, it’s important to have a holistic approach to security that unifies people, process, and technology. Cassio Goldschmidt introduces defense techniques that measurably reduce the number and severity of software vulnerabilities. These include secure coding techniques, minimizing the use of unsafe functions, use of compiler and linker security options, and specialized static analysis tools. Enrich your development lifecycle with threat modeling, security code review, penetration testing, and vulnerability management.

Cassio Goldschmidt, Symantec Corporation
Risk Identification, Analysis, and Mitigation in Agile Environments

Although risk identification, analysis, and mitigation are critically important parts of any software project effort, agile projects require non-traditional techniques that are much quicker and easier to use than classical risk techniques. James McCaffrey focuses-not on theory-but on realistic risk analysis methods agile teams can readily implement with lightweight tools. James explains and demonstrates how you can employ taxonomy and storyboarding methods to recognize project meta-risks and identify product risks throughout the development lifecycle. Using “central moment” and “PERIL” techniques, you'll learn to analyze these risks and develop management and mitigation strategies dynamically, while the project is underway.

James McCaffrey, Volt VTE
Web Security Testing with Ruby

To ensure the quality and safety of Web applications, security testing is a necessity. So, how do you cover all the different threats-SQL injection, cross-site scripting, buffer overflow, and others? James Knowlton explains how Ruby combined with Watir-both freely available-makes a great toolset for testing Web application security. Testing many common security vulnerabilities requires posting data to a Web server via a client, exactly what Watir does. The Ruby side of Watir, a full-function programming language, provides the tools for querying the database, checking audit logs, and other test-related processing. For example, you can use Ruby to generate random data or large datasets to throw at a Web application. James describes common security attacks and demonstrates step-by-step examples of testing these attack types with Ruby and Watir.

James Knowlton, McAfee, Inc.
STAREAST 2010: Tour-based Testing: The Hacker's Landmark Tour

Growing application complexity, coupled with the exploding increase in application surface area, has resulted in new quality challenges for testers. Some test teams are adopting a tour-based testing methodology because it’s incredibly good at breaking down testing into manageable chunks. However, hackers are paying close attention to systems and developing new targeted attacks to stay one step ahead. Rafal Los takes you inside the hacker’s world, identifying the landmarks hackers target within applications and showing you how to identify the defects they seek out. Learn what “landmarks” are, how to identify them from functional specifications, and how to tailor negative testing strategies to different landmark categories.

Rafal Los, Hewlett-Packard
You Can't Test Quality into Your Systems

Many organizations refer to their test teams and testers as QA departments and QA engineers. However, because errant systems can damage-even destroy-products and businesses, software quality must be the responsibility of the entire development team and every stakeholder. As the ones who find and report defects, and sometimes carry the “quality assurance” moniker, the test community has a unique opportunity to take up the cause of error prevention as a priority. Jeff Payne paints a picture of team and organization-wide quality assurance that is not the process-wonky, touchy, feely QA of the past that no one respects. Rather, it's tirelessly evaluating the software development artifacts beyond code; it’s measuring robustness, reliability, security, and other attributes that focus on product quality rather than process quality; it’s using risk management to drive business decisions around quality; and more.

Jeffery Payne, Coveros, Inc.
Integrating Security Testing into Your Process

Software quality is a priority for most organizations, yet many are still struggling to handle the volume of testing. Unfortunately, applications are frequently released with significant security risks. Many organizations rely on an overburdened security team to test applications late in development when fixes are the most costly, while others are throwing complex tools at test teams expecting the testers to master security testing with no formal processes and training. Danny Allan describes five steps to integrate security testing into the software development lifecycle. Danny shows how highly secure and compliant software applications begin with security requirements and include design, development, build, quality assurance, and transitional practices.

Danny Allan, IBM Rational
STARWEST 2008: Automating Security Testing with cUrl and Perl

Although all teams want to test their applications for security, our plates are already full with functional tests. What if we could automate those security tests? Fortunately, most Web-based and desktop applications submit readily to automated testing. Paco Hope explores two flexible, powerful, and totally free tools that can help to automate security tests. cUrl is a free program that issues automatic basic Web requests; Perl is a well-known programming language ideally suited for writing test scripts. Paco demonstrates the basics of automating tests using both tools and then explores some of the more complicated concerns that arise during automation-authentication, session state, and parsing responses. He then illustrates simulated malicious inputs and the resulting outputs that show whether the software has embedded security problems.

Paco Hope, Cigital


StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.