Security

Conference Presentations

Quality Assurance as a Service Organization

"QA is the bottleneck” ... "Why does QA take so long?" ... "You need to test faster." Often, key project stakeholders either do not understand QA or have difficulty quantifying the effects that increasing or decreasing test time will have on the project. First American CREDCO found the solution was to turn QA into a full service organization, complete with a "Quality Rainbow" menu of options to be purchased. Want it quicker and willing to accept a higher risk? Then select from Column 1. Want low risk and willing to take the time to ensure the product is pristine? Then select from Column 5. Whether your test team is small or large, you can learn to "in-source" QA services, set time and efforts expectations up front, and measure the value of QA activities so that QA does not become a roadblock to project success.

  • A method to specify and quantify the services provided by a QA group
Sandi Oswalt, First American Credco
Better Testing with a Hacker's Mentality

Security issues are becoming more and more relevant as testers are called on to find security problems before others exploit them. So, where do you start, and how do you bridge the gap between honest tester and bad-guy hacker? Julian Harty suggests we do so by adopting the mindset and practices of a hacker. In this presentation, gain a unique insight into the ways of hackers and specific technical techniques and tips on how to find security flaws before the hackers do. Progress from a novice to a journeyman security tester as you learn how to use “anti-goals” and your internal knowledge of the software to find and fix security vulnerabilities before the hackers find them and hurt your organization.

  • How a tester can adopt the mindset of a hacker
  • Proven techniques for finding security flaws
  • A safe environment to get started in security testing
Julian Harty, Commercetest Limited
Who is Stealing a Living off Your Web Site?

So, your company makes money from its Web site. Who else might also be doing the same? While the Web is a profitable venture for many companies, it is often equally profitable for hackers and thieves. Due to unknown vulnerabilities of your Web application, hackers may end up with more profit from your Web site than you do. See examples of hacker techniques-SQL injection, format string attacks, session-based attacks-and a host of others. Find out why the current crop of Web testing tools is not sufficient to thwart hackers and will leave you with a false and dangerous sense of security. Learn the skills and techniques you must know to stay ahead of hackers and find security holes in your Web applications.

  • Hidden Web application security vulnerabilities
  • Testing skills and techniques to find security holes and prevent breaches
  • Tools to help you with security testing Web sites
Florence Mottay, Security Innovation LLC
Gotcha!...Security Testing for Mission Critical Applications

A local television station provides a Web service that allows schools and businesses in the area to easily enter information on closures due to bad weather. The information then is displayed as a crawl along the bottom of the television screen. Some kids hack into the site and declare their school closed for the day, and it's immediately shown on everyone's television! It's a cute story. Now let's imagine that these same kids hack the prices on your eCommerce site or obtain access to sensitive customer records on your company Web site. This time the story is not so laughable. Mike Andrews shares his favorite top ten holes in Web site security including "SQL injection" and "cross-site scripting," shows examples of each, and discusses the effects these security breaches can have on your site. Fortunately, the number of attacks is rather small and easy to repair-if you know where to look.

Michael Andrews, Florida Institute of Technology
A Strategic Approach - "Beta the Business"

Beta testing is an industry standard practice to obtain user feedback prior to general availability of software. Have you ever considered that the Beta release can be used to validate the software's value to customers and application users? Extending the Beta concept will result in higher customer satisfaction (and higher revenue for commercial products). Also, you can employ Beta testing to evaluate not only the software product, but the distribution (and sales) process, training, customer support, and usage within your customers' environments. Far beyond just finding defects in the product, you can focus Beta testing on how well the software is meeting your customers' needs. What does that mean to the Development team and the organization as a whole? What are the risks and challenges that we face? What are the rewards?

Pete Conway, EMC Corporation
Preventing Security Breaches at the Source

Security is a complex and often overwhelming issue. You cannot rely solely on trying to prevent hackers from entering your systems. Instead, you must ensure that the system safeguards itself if a hacker does break in. Three of the most common internal software weaknesses hackers exploit are dangerously constructed SQL, buffer overflows, and runtime exceptions that are not properly handled. Although testing existing code for these defects can help, it is not fool proof. You also need to make a concerted effort to prevent security vulnerabilities from being introduced as the team is writing code. Through the application of practices, such as static analysis, dynamic analysis, unit testing, and runtime error detection, you can jumpstart your security efforts and keep the hackers at bay.

  • The most common internal software weaknesses that hackers exploit
Sergei Sokolov, ParaSoft Corporation
Go on Offense: Prevent Web Application Security Breaches

You must successfully test your browser-based applications before hackers do the job for you! Whether you have to worry about critical business applications or government compliance issues like HIPPA (Health Insurance Portability and Accountability Act of 1996) or GLBA (Financial Services Modernization Act of 1999), security failures can cost your organization big dollars, unnecessary embarrassment, or both. Hackers have gone beyond simple exploits of open IP ports and standard applications such as Telnet, FTP, and Sendmail, turning their attention to commercial and custom Web applications. To thwart the hackers, test engineers must focus their efforts on common and uncommon security vulnerabilities within the application, including SQL injections, session hijacking, cross-site scripting, and more.

Dennis Hurst, SPI Dynamics Inc
Questions to Ask a Software Vendor about Security (and Verify) before Purchase

How do you choose which software vendor's product to buy? For a long time, CRM packages, ERP systems, and other commercial software selection criteria have come down to factors such as performance, compatibility, reputation of the vendor, support, and price. Security, though, has become a looming factor in the total cost of ownership and the risk of selecting one software product over another. Ed Adams describes the tough questions you need to ask vendors about security and how to extract critical information from them. Find out the steps to verify that their statements are accurate and their answers complete. With an approach for quantifying security risk before purchase, your organization will make more informed acquisition decisions.

  • A security assessment approach for purchased software packages
  • Quantifying security risk in software packages before purchase
Ed Adams, Security Innovation LLC
End to End Security: Building Products Right

How do you build a product that is secure? Why are some products inherently more secure than others? Join Richard Ford as he shares his experiences, both building products and teaching other developers how to think about security. All too often, computer security is the last thing considered when building a new product; that is, security is relegated to a "bolt on" ... something to be added to the product before it can be shipped. You will see demonstrations of security flaws that illustrate why security should be considered at every stage in the product process, from initial idea to golden master… and beyond. Learn to think about security holistically and take away a checklist of issues to consider at every step in the product lifecycle. Finally, gain insight into ways of building a development culture that is security aware and maintaining an efficient but secure corporate culture.

Richard Ford, Florida Institute of Technology
Preventing Web Service Security Breaches

Because Web services are especially vulnerable to security breaches, verifying the integrity of Web services is critical to successful deployment. By adopting specific white-box testing techniques at the unit and system level, testers can better ensure the security and dependability of the Web services application their company produces. Learn what you can do to test Web services for conditions and input data that are not expected and fix security problems before they harm your organization.

  • Find security problems with specific white-box test techniques
  • Ensure proper functionality, interoperability, and security of Web services
  • Web services testing issues for developers and QA testers
Gary Brunell, ParaSoft Corporation

Pages

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.