Security

Conference Presentations

Beyond Functional Testing: On to Conformance and Interoperability

Although less well known than security and usability testing, conformance and interoperability testing are just as important. Even though conformance and interoperability testing-about standards and thick technical specifications documents-may seem dull, Derk-Jan De Grood believes that these testing objectives can be interesting and rewarding if you approach them the right way. SOA is one example in which numerous services must interact correctly with one another-conform to specs-to implement a system. Conformance and interoperability testing ensures that vendors' scanners can read your badge in the EXPO and that your bank card works in a foreign ATM. Derk-Jan explains important concepts of interface standards and specifications and discusses the varied test environments you need for this type of testing. Get insight into the problems you must overcome when you perform conformance and interoperability testing.

Derk-Jan Grood, Collis
Fuzzing: New Tests for Robustness and Security

Traditional security measures are doomed to fail because they are focused only on defending against known attacks-and studies show that more than 80 percent of software will likely crash when extensive negative testing is employed. Fuzzing is a new, proactive technique for discovering security vulnerabilities and robustness issues in software. Although fuzz testing is most often based on some form of syntax checking, random input testing also can be appropriate. Fuzzing is valuable during development when application testers use the technique to surface issues and in production when security testers use it for audits. Any type of system can be fuzz tested-from enterprise solutions to consumer products such as mobile phones and set-top TV cable boxes. Ari Takanen discusses the origins of fuzzing, explains the different technologies used by fuzzers, and identifies current fuzzing tools, their uses and limitations.

Ari Takanen, Codenomicon Ltd.
Better Software Conference & EXPO 2008: Automating Security Testing with cUrl and Perl

Although all teams want to test their applications for security, our plates are already full with functional tests. What if we could automate those security tests? Fortunately, most Web-based and desktop applications submit readily to automated testing. Paco Hope explores two flexible, powerful, and totally free tools that can help to automate security tests. cUrl is a free program that issues automatic basic Web requests; Perl is a well-known programming language ideally suited for writing test scripts. Paco demonstrates the basics of automating tests using both tools and then explores some of the more complicated concerns that arise during automation-authentication, session state, and parsing responses. He then illustrates simulated malicious inputs and the resulting outputs that show whether the software has embedded security problems.

Paco Hope, Cigital
Software Security Assessment: The Naked Truth

With software running our most critical business processes, we need to think about both its utility and the risk it can add to those processes. Hugh Thompson describes some of the best current techniques to efficiently assess software security risk. Hugh identifies the biggest risks to your software systems, presents the major categories of security vulnerabilities with their business consequences, and how you can begin an effective software risk assessment process. Specifically, Hugh discusses the 17 critical questions to ask vendors, software component suppliers, and software-as-a-service (SaaS) providers about their product before you commit to using it. He describes how to benchmark your own software security practices, the top application security flaws that put your business at risk and their symptoms. You'll also learn to make more security-savvy software acquisition, development, and outsourcing decisions.

Herbert Thompson, Peoples Security
Finding Backdoor Threats with Static Analysis

According to research from Gartner, 75% of all new security attacks are against applications and 90% of all vulnerabilities reside within software. However, enterprise IT security continues to be concentrated on the network to protect the perimeter from external attack rather than detecting vulnerabilities on the inside. In some of the world's largest businesses, there's evidence that malicious users may be deliberately leaving "backdoor" vulnerabilities to be exploited later when applications are put into full production. Methods are available to detect backdoors in your software, with static analysis as the most effective technique available. Chris Wysopal explains the technology and benefits of binary and source code static analysis and presents various techniques for inspecting software for backdoors along with the pros and cons of each method.

Chris Wysopal, Veracode
Client-Side Attacks: The New Vulnerability

Historically, we have focused on server-side security vulnerabilities rather than their client-side counterparts. As cybercrime continues to evolve, the sophistication of client-side attacks is increasing and the severity of these vulnerabilities is growing. The advent of phishing and efforts to create botnet armies have exploded in recent years due to their profit potential. Client-side issues such as vulnerabilities in Web browsers and file corruption have become the facilitators, which make these attacks possible. Matt Fisher demonstrates examples in which client-side vulnerabilities have been leveraged for criminal gain. Matt walks through typical attack scenarios to help you better understand how these attacks succeed-and how you can combat them. He'll also peer into his crystal ball in an attempt to anticipate how such attacks will evolve in the future.

  • Vulnerabilities in Web browsers and how to combat them
Matt Fisher, Hewlett-Packard
Hakernomics

Hackers think differently, have strange goals, and will relentlessly "test" your software for security bugs. Hugh Thompson exposes how attackers view software to find security weaknesses and explains the economics of software risk for organizations. He vividly illustrates the laws of hackernomics with real vulnerabilities and helps you think like an attacker. Hugh takes you through crafting input like an attacker would. He describes the features that attackers find most attractive and why. Learn from Hugh how to prioritize a security bug and how to explore the security implications of a functional bug. Gain a better understanding of where the biggest risks in your software might be hiding and be better armed to test for those weaknesses. Warning-there will be live exploits. Software will be harmed during this presentation!

Herbert Thompson, Peoples Security
Is Web 2.0 a Hacker's Dream?

Web 2.0 promises to make Web applications far more usable and enjoyable than we have ever imagined. We have just begun to digest the host of exciting Web 2.0 technologies such as AJAX, SOAP, RSS, and "mashups." However, are we making a big mistake by increasing the complexity of Web applications without taking new security risks into account? Will Web 2.0 usher in the next great Internet expansion or turn it into a landscape where consumers are too frightened to pull out their credit cards? Michael Sutton explains how poor coding practices in the Web 2.0 technologies can expose new Web site vulnerabilities that put your company at risk. He demonstrates case studies illustrating real world examples of Web 2.0 exploitations. Most importantly, Michael describes secure coding practices in the Web 2.0 world that will help you avoid turning these next generation Web technologies into a hacker's dream.

Michael Sutton, SPI Dynamics
Stop Spyware through Improved Software Security Practices

As organizations spend more time and money to protect their systems from security breaches, the threat landscape is shifting from widespread attacks to specifically targeted, malicious spyware invasions. Gerhard Eschelbeck presents current research on spyware and how it is different from-and potentially more deadly than-traditional computer viruses. Gerhard offers insights into the changing attack trends from automated worms to targeting users directly via email and the browser. Gerhard discusses how spyware writers take advantage of security flaws in software applications to make systems highly vulnerable targets. He reveals surprising infection data from recent spyware audits and highlights infection rates of systems from different types of spyware-monitors, trojans, adware, and cookies. Learn more about these threats, their propagation strategies, and their infection vectors.

Gerhard Eschelbeck, Webroot
Automated Software Audits for Assessing Product Readiness

Rather than continually adding more testing, whether manual or automated, how can you assess the readiness of a software product or application for release? By extracting and analyzing the wealth of information available from existing data sources-software metrics, measures of code volatility, and historical data-you can significantly improve release decisions and overall software quality. Susan Kunz shares her experiences using these measures to decide when and when not, to release software. Susan describes how to derive quality index measures for risk, maintainability, and architectural integrity through the use of automated static and dynamic code analyses. Find out how to direct limited testing resources to error-prone code and code that really matters in a system under test. Take back new tools to make your test efforts more efficient.

  • How to apply adaptive analysis to evaluate software quality
Susan Kunz, Solidware Technologies, Inc.

Pages

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.