Security

Conference Presentations

Integrating Security into the Development Lifecycle

Software security is neither a development problem nor an IT operations problem. Rather, it is a paramount business problem requiring a multidisciplinary approach that minimizes organizational risk when delivering software products. By making a program-level commitment to security, IT organizations will be in the best position to defend their businesses from growing threats. Ryan English explores business management and the process components of defining, designing, instituting, and verifying secure development practices. He describes a broad set of principles that leading companies are adopting to improve the security of their software and outlines an application security program your company can implement. This approach requires a commitment to application security at all levels of management and offers the promise of a mature level of security without undue effect on the overall development process and delivery schedules.

Ryan English, SPI Dynamics Inc
Operational Security in Software Development

Research conducted by CERT, the computer security incident response team based at the Software Engineering Institute (SEI), indicates that writing quality coding is not enough to ensure system security. Operating platforms, supported user devices, interface designs, linkages with legacy systems, source code management, data exchange protocols, and controls for authentication data among system modules all impact operational security. Incomplete security requirements and poorly planned implementations further contribute to security risk. Using both research and a follow-up case study, Carol Woody describes the things you can do in your development and test organizations to improve operational security. She introduces an analysis technique for evaluating operational risks within the development process and offers guidelines for clearly defining testable security requirements.

Carol Woody, Software Engineering Institute
Model-Based Security Testing

Preventing the release of exploitable software defects is critical for all applications. Traditional software testing approaches are insufficient, and generic tools are incapable of properly targeting your code. We need to detect these defects before going live, and we need a methodology for detection that is cost-efficient and practical. A model-based testing strategy can be applied directly to the security testing problem. Starting with very simple models, you can generate millions of relevant tests that can be executed in a matter of hours. Learn how to build and refine models to focus quickly on the defects that matter. Kyle Larsen shows you how to create a test oracle that can detect application-specific security defects: buffer overflows, uninitialized memory references, denial of service attacks, assertion failures, and memory leaks.

Kyle Larsen, Microsoft Corporation
Security Testing: Are You a Deer in the Headlights?

With frequent reports in the news of successful hacker attacks on Web sites, application security is no longer an afterthought. More than ever, organizations realize that security has to be a priority while applications are being developed-not after. Developers and QA professionals are learning that Web application security vulnerabilities must be treated like any other software defect. Organizations can save time and money by identifying and correcting these security defects early in the development process. Ryan English helps you overcome the “deer in the headlights” look when you are asked to begin testing applications for security issues. See real world examples of company Web sites that have been hacked because of vulnerable applications and see how the attacks could have been avoided.

  • Security defect categories and responsibility areas
Ryan English, SPI Dynamics Inc
The Software Vulnerability Guide: Uncut and Uncensored

Warning: This talk contains graphic examples of software failure . . . not suitable for the faint of heart. This "no holds barred" session arms testers with what they really need to know about finding serious security vulnerabilities. Herbert Thompson takes you on an illustrated tour of the top twelve security vulnerabilities in software and shows you how to find these flaws efficiently. Each vulnerability is brought to life through a live exploit followed by a look at the testing technique that would have exposed the bug. Testers and test managers will leave with a keen awareness of the major vulnerability types and the knowledge and insight to fundamentally improve the security of the applications they support and test.

Herbert Thompson, Security Innovation LLC
Testing Web Services Security

Many organizations are beginning to deploy Web services as the preferred way to interact electronically with employees, customers, and trading partners. To ensure that these Web services implementations are secure, vulnerability assessment and rigorous testing must be built into the Web services development process. Jack Quinnell describes the current "best practices" in developing and testing the security of an enterprise's Web services applications. He explains what makes Web services vulnerable to attacks and the characteristics of both design-centric and attack-centric vulnerabilities. Learn how to identify and test these vulnerabilities during development and in operational settings. Find out about the latest technology to support testing Web services security. Go away with a new appreciation for the security risks inherent in Web services and what you can do about them.

Jack Quinnell, Kenai Systems
STARWEST 2004: Testing Dialogues - Management Issues

Many organizations are beginning to deploy Web services as the preferred way to interact electronically with employees, customers, and trading partners. To ensure that these Web services implementations are secure, vulnerability assessment and rigorous testing must be built into the Web services development process. Jack Quinnell describes the current "best practices" in developing and testing the security of an enterprise’s Web services applications. He explains what makes Web services vulnerable to attacks and the characteristics of both design-centric and attack-centric vulnerabilities. Learn how to identify and test these vulnerabilities during development and in operational settings. Find out about the latest technology to support testing Web services security. Go away with a new appreciation for the security risks inherent in Web services and what you can do about them.

Facilitated by Esther Derby and Elisabeth Hendrickson
Testing Windows Registry Entries

Warning: Registry keys may be hazardous to your program's health! Registry key entries in Windows applications-visible or hidden-are often neglected by testers. A registry key entry is a program feature just like any other application function and as such needs to be validated. Michael Stahl describes why registry keys should be accorded special attention during testing and proposes a strategy for mitigating risks posed by incorrect registry key entries. He suggests a test strategy, as well as coding standards for input value and type validation, default values, regeneration, and naming rules. Michael demonstrates the use of correct and incorrect registry keys in common commercial applications.

Michael Stahl, Intel Corporation
Security Nirvana - Combining Source Code Scanning and Penetration Testing

Penetrate and Patch. That's the unspoken model that many software development teams have been following for the past several years: build it, and when a security problem is found, then scurry around to patch it. We now know that the cost of building software this way is orders of magnitude more expensive than ingraining security throughout the development lifecycle. Ady Kakrania walks through the process of building security into your development process from the design phase and continuing good software security practices post-deployment. Learn about synergistically using tools like source code scanners to find dangerous functions and structures along with post-deployment penetration testing to dramatically reduce costs and shore-up your application's security.

Ady Kakrania, Security Innovation LLC
Open SourceTest Automation Frameworks

Open source software has come a long way in the past few years. However, for automated testing there still are not many ready-made solutions. Testers often must spend their time working on test cases rather than working on a test automation framework. Allen Hutchison describes the elements of an automated test framework and demonstrates a framework that you can quickly assemble from several open source software tools. He then explains how to put the pieces together with a scripting language such as Perl. Once you build the framework, you can improve and reuse it in future test projects. At the end of the presentation, Google will release the described framework as a new open source project that you can begin using immediately.

Allen Hutchison, Google

Pages

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.