Security

Conference Presentations

Web Security Testing with Ruby

To ensure the quality and safety of Web applications, security testing is a necessity. So, how do you cover all the different threats-SQL injection, cross-site scripting, buffer overflow, and others? James Knowlton explains how Ruby combined with Watir-both freely available-makes a great toolset for testing Web application security. Testing many common security vulnerabilities requires posting data to a Web server via a client, exactly what Watir does. The Ruby side of Watir, a full-function programming language, provides the tools for querying the database, checking audit logs, and other test-related processing. For example, you can use Ruby to generate random data or large datasets to throw at a Web application. James describes common security attacks and demonstrates step-by-step examples of testing these attack types with Ruby and Watir.

James Knowlton, McAfee, Inc.
STAREAST 2010: Tour-based Testing: The Hacker's Landmark Tour

Growing application complexity, coupled with the exploding increase in application surface area, has resulted in new quality challenges for testers. Some test teams are adopting a tour-based testing methodology because it’s incredibly good at breaking down testing into manageable chunks. However, hackers are paying close attention to systems and developing new targeted attacks to stay one step ahead. Rafal Los takes you inside the hacker’s world, identifying the landmarks hackers target within applications and showing you how to identify the defects they seek out. Learn what “landmarks” are, how to identify them from functional specifications, and how to tailor negative testing strategies to different landmark categories.

Rafal Los, Hewlett-Packard
You Can't Test Quality into Your Systems

Many organizations refer to their test teams and testers as QA departments and QA engineers. However, because errant systems can damage-even destroy-products and businesses, software quality must be the responsibility of the entire development team and every stakeholder. As the ones who find and report defects, and sometimes carry the “quality assurance” moniker, the test community has a unique opportunity to take up the cause of error prevention as a priority. Jeff Payne paints a picture of team and organization-wide quality assurance that is not the process-wonky, touchy, feely QA of the past that no one respects. Rather, it's tirelessly evaluating the software development artifacts beyond code; it’s measuring robustness, reliability, security, and other attributes that focus on product quality rather than process quality; it’s using risk management to drive business decisions around quality; and more.

Jeffery Payne, Coveros, Inc.
Integrating Security Testing into Your Process

Software quality is a priority for most organizations, yet many are still struggling to handle the volume of testing. Unfortunately, applications are frequently released with significant security risks. Many organizations rely on an overburdened security team to test applications late in development when fixes are the most costly, while others are throwing complex tools at test teams expecting the testers to master security testing with no formal processes and training. Danny Allan describes five steps to integrate security testing into the software development lifecycle. Danny shows how highly secure and compliant software applications begin with security requirements and include design, development, build, quality assurance, and transitional practices.

Danny Allan, IBM Rational
STARWEST 2008: Automating Security Testing with cUrl and Perl

Although all teams want to test their applications for security, our plates are already full with functional tests. What if we could automate those security tests? Fortunately, most Web-based and desktop applications submit readily to automated testing. Paco Hope explores two flexible, powerful, and totally free tools that can help to automate security tests. cUrl is a free program that issues automatic basic Web requests; Perl is a well-known programming language ideally suited for writing test scripts. Paco demonstrates the basics of automating tests using both tools and then explores some of the more complicated concerns that arise during automation-authentication, session state, and parsing responses. He then illustrates simulated malicious inputs and the resulting outputs that show whether the software has embedded security problems.

Paco Hope, Cigital
Beyond Functional Testing: On to Conformance and Interoperability

Although less well known than security and usability testing, conformance and interoperability testing are just as important. Even though conformance and interoperability testing-about standards and thick technical specifications documents-may seem dull, Derk-Jan De Grood believes that these testing objectives can be interesting and rewarding if you approach them the right way. SOA is one example in which numerous services must interact correctly with one another-conform to specs-to implement a system. Conformance and interoperability testing ensures that vendors' scanners can read your badge in the EXPO and that your bank card works in a foreign ATM. Derk-Jan explains important concepts of interface standards and specifications and discusses the varied test environments you need for this type of testing. Get insight into the problems you must overcome when you perform conformance and interoperability testing.

Derk-Jan Grood, Collis
Fuzzing: New Tests for Robustness and Security

Traditional security measures are doomed to fail because they are focused only on defending against known attacks-and studies show that more than 80 percent of software will likely crash when extensive negative testing is employed. Fuzzing is a new, proactive technique for discovering security vulnerabilities and robustness issues in software. Although fuzz testing is most often based on some form of syntax checking, random input testing also can be appropriate. Fuzzing is valuable during development when application testers use the technique to surface issues and in production when security testers use it for audits. Any type of system can be fuzz tested-from enterprise solutions to consumer products such as mobile phones and set-top TV cable boxes. Ari Takanen discusses the origins of fuzzing, explains the different technologies used by fuzzers, and identifies current fuzzing tools, their uses and limitations.

Ari Takanen, Codenomicon Ltd.
Better Software Conference & EXPO 2008: Automating Security Testing with cUrl and Perl

Although all teams want to test their applications for security, our plates are already full with functional tests. What if we could automate those security tests? Fortunately, most Web-based and desktop applications submit readily to automated testing. Paco Hope explores two flexible, powerful, and totally free tools that can help to automate security tests. cUrl is a free program that issues automatic basic Web requests; Perl is a well-known programming language ideally suited for writing test scripts. Paco demonstrates the basics of automating tests using both tools and then explores some of the more complicated concerns that arise during automation-authentication, session state, and parsing responses. He then illustrates simulated malicious inputs and the resulting outputs that show whether the software has embedded security problems.

Paco Hope, Cigital
Software Security Assessment: The Naked Truth

With software running our most critical business processes, we need to think about both its utility and the risk it can add to those processes. Hugh Thompson describes some of the best current techniques to efficiently assess software security risk. Hugh identifies the biggest risks to your software systems, presents the major categories of security vulnerabilities with their business consequences, and how you can begin an effective software risk assessment process. Specifically, Hugh discusses the 17 critical questions to ask vendors, software component suppliers, and software-as-a-service (SaaS) providers about their product before you commit to using it. He describes how to benchmark your own software security practices, the top application security flaws that put your business at risk and their symptoms. You'll also learn to make more security-savvy software acquisition, development, and outsourcing decisions.

Herbert Thompson, Peoples Security
Finding Backdoor Threats with Static Analysis

According to research from Gartner, 75% of all new security attacks are against applications and 90% of all vulnerabilities reside within software. However, enterprise IT security continues to be concentrated on the network to protect the perimeter from external attack rather than detecting vulnerabilities on the inside. In some of the world's largest businesses, there's evidence that malicious users may be deliberately leaving "backdoor" vulnerabilities to be exploited later when applications are put into full production. Methods are available to detect backdoors in your software, with static analysis as the most effective technique available. Chris Wysopal explains the technology and benefits of binary and source code static analysis and presents various techniques for inspecting software for backdoors along with the pros and cons of each method.

Chris Wysopal, Veracode

Pages

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.