Security

Conference Presentations

Risk: The Testers Favorite Four Letter Word

Identifying risk is important-but managing risk is vital. Good project managers speak the language of risk, and their understanding of risk guides important decisions. Testers can contribute to an organization's decision making ability by speaking that same language. Learn from Julie Gardiner how to evaluate risk in both quantitative and qualitative ways. Julie will discuss how to deal with some of the misconceptions managers have about risk-based testing including: Testing is always risk-based. Risk-based testing is nothing more than prioritizing tests. Risk-based testing is a one-time-only activity. Risk-based testing is a waste of time. And risk-based testing will delay the project.

Julie Gardiner, QST Consultants Ltd.
Project Retrospectives

At the rate Web vulnerabilities are being discovered and exploited, the security industry cannot afford to continue trying to keep up with patches and fixes. Cross-site scripting, SQL injection, command injection-attacks like these result from vulnerabilities in inadequately designed or written code, creating opportunities for attackers to threaten privacy and steal data. The only way to truly eliminate these vulnerabilities is to address them at their origin-in the source code itself. The critical sources of threats in an application come from coding errors, configuration issues, and design flaws. Using actual security failures, Daniel Hestad describes the dirty baker's dozen code-based vulnerabilities found in Web software. Learn to locate, understand, and eliminate these vulnerabilities before they present untold risks to your organization.

Lucille Parnes, Software Process Improvement Consultant
Building a Requirements Foundation with Customer Interviews

Whether you are building a brand new product or evolving an existing system, understanding the business needs of your customers is the foundation of a marketable product or valuable internal application. Few of us are experts in interviewing techniques, and few customers talk about their tasks, needs, and context in neat, concise statements about requirements. Hone your elicitation skills and learn what it takes to get beneath the surface and understand your customers: their world, how they work, and what really bothers them. With effective interviewing techniques and skills, you will get inside their heads and better understand their needs within their context.

Esther Derby, Esther Derby Associates Inc
Secure Software is a Management Issue, Too!

Development teams are entering a new era of software development. Security will play a critical role because traditional development practices are failing in the face of poor software quality and constant hacker attacks. As a manager, you are under pressure to write more secure, higher quality software while at the same time reducing operational costs. How can you incorporate the latest in software security development practices and stay within mandated budgets? And how do you justify higher budgets in the face of uncertain security risks? Join Djenana Campara for a manager’s view of software security issues. Become more proactive in the treatment of software security vulnerabilities, and help protect your company's core assets from external security threats.

Djenana Campara, Klocwork Inc
Develop and Deliver Secure Web-based Systems

Gartner Group estimates that three-fourths of today's successful Web attacks do not happen via network security flaws but rather by entering directly through defects in application code. To thwart these attacks, you need to institute security procedures and technologies throughout the development lifecycle. Through a review of recent Web application breaches, Dennis Hurst exposes the methods hackers use to execute break-ins via the Web using security defects in the underlying code. In addition to revealing hacker exploits, Dennis outlines coding practices for developing secure Web applications and describes available automated security code testing tools that can help you protect your systems. After completing this session, you will be well versed in the underlying protocols that allow hackers to exploit Web-based applications and, more importantly, understand how to better protect critical applications throughout development.

Dennis Hurst, SPI Dynamics Inc
Controlling Performance Testing in an Uncontrolled World

Think about it ... You are responsible for performance testing a system containing over 5 billion searchable documents to an active user base of 2.6 million users, and you are expected to deliver notification of sub-second changes in release response and certification of extremely high reliability and availability. Your n-tier architecture consists of numerous mainframes and large-scale UNIX
servers as well as Intel processor-based servers. The test environment architecture is distributed across large numbers of servers performing shared functions for a variety of products competing for test time and resources during aggressive release cycles. Because it is impractical and too costly to totally isolate systems at this scale, capacity and performance test engineers produce high quality

Jim Robinson, LexisNexis
TPI Test Process Improvement Model Facts and Figures

Since the publication of the test process improvement (TPI®) model in the 1990s, many organizations have used it to help establish and improve their test processes. By doing so, they have tested the hypothesis that improving test processes results in better insight into system
quality and a more repeatable and efficient test process. Over the past five years, Ruud Teunissen and his consultant colleagues have gathered many facts and figures about the results of test process improvement initiatives. Learn the details of what other companies have achieved from test process improvement using the model, including examples of a 50 percent reduction of live incidents caused by inaccurate testing and a 40 percent reduction of long-term testing costs. Build a case for process improvement, discover what the TPI® model can do for you, and find out how to manage expectations should you embrace the model.

Ruud Teunissen, POLTEQ IT Services BV
Making Test Data More Agile

Flexible, reusable, and restorable test data for both the unit and system level is an absolute necessity for testers working on Agile development projects. For teams following a more traditional development process, Agile approaches for handling test data can enhance testing efforts as well. Discussing Agile testing approaches, such the ObjectMother pattern, Peter Schuh explains how testers design tests and test frameworks to survive the ever-changing data structures found in Agile projects. Learn how an Agile process allows testers to get much more mileage out of test data sets during and after the initial development project. Leave with a set of practices and techniques to apply directly to Agile development projects or modify for their current development environment.

  • The many dimensions of application test data
  • Produce and maintain better tests and test data with Agile approaches
Peter Schuh, Peter Schuh
Web Testing Circus: An Expert-Led Search for Security Defects

Step right up! Come see the sights! Join in the fun! The circus is in town and admission is free with your STAREAST badge. Right before your very eyes, our security testing ringmaster Mike Andrews demonstrates for you the wonders of Web security testing. Behold death-defying feats of SQL injection. Stare open-mouthed as he hacks a site using the cross-site scripting attack. Watch him hijack a Web session before your very eyes. Find out how and why Web servers are the most attacked resource on the Internet and what you can do to protect yours. Learn the history of some successful and insidious Web hacks and the freak-show of hackers that perpetrate them.

Bring your laptop with wireless access, and join in the attack! We will set up a wireless network and Web site with known vulnerabilities on an intranet in the session room so you can have a go at finding security bugs.

Michael Andrews, Foundstone Professional Services
The QA/Testing Perspective on Software Security

Most everyone now realizes that we cannot solve security vulnerabilities with firewalls, virus scanners, and other tactics that build an electronic “moat” around systems. According to Julian Harty, security is not an operational issue, not a developer issue, and not a testing issue. It is a systems issue that you must focus on throughout the software’s life. From a QA/testing perspective, we need to look early in the development process for adequate security requirements. Then, we should assess the designs for vulnerabilities and participate in security code reviews. When specialized, security tests find bugs that get past our early prevention efforts, causal analysis helps prevent the recurring security defects. Dig into system security issues with Julian and learn about manual techniques, commercial software, and home-brew automation tools to help you find security vulnerabilities-before the bad guys do.

Julian Harty, Commercetest Limited

Pages

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.