View
214
Download
1
Category
Preview:
Citation preview
Software Confidence. Achieved.
Dec10 1
Automated Security TestingA case study of Agile SDLC integration
www.cigital.comFrank HurleyAravind VenkataramanSagar Dongre
Outline
QA testing vs. Security testing Cigital services Software Security program Security testing Security testing framework
2v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
QA testing vs. Security testing
3v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
QA testing Checks that app does what it’s supposed to do Meets stated business requirements(!)
Test cases derived from requirements Positive/negative test cases Test coverage (RTM)
Ensure app doesn’t break/crash/etc Many unstated requirements Exploratory testing
Normal, expected use Corner cases, but within what a user might do
QA testing vs. Security testing
4v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
Security testing Checks that app does not do what it’s not supposed to Requirement is implied… not in business
requirements. Malicious erroneous user input
URL tampering Bypassing Javascript
Ensure doesn’t break/crash/etc Crash = potential exploit
Misuse/Abuse cases Actions system should prevent
5Dec10
Software Assurance services
Software Security Secure design Secure coding Security testing Continuous integration
Software Quality Agile testing Test automation Continuous integration Test process improvement
Software Assurance services at a client
Security scanning platform Security code review Security testing Continuous integration
Quality assurance Agile testing Test automation Continuous integration
6Dec10
7Dec10
Building Security into SDLC
8v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
Software Security program
9Dec10
Static analysis | Dynamic analysis
Code review Bug patterns in code Coding defects Quality/Reliability defects
Automation “HP Fortify” Think “CheckStyle, PMD” “Ant, Maven” integration
Penetration testing Security test injection Configuration defects Exploit proof-of-concepts
Automation “IBM Appscan”` Think “QTP, WinRunner” “QualityCenter” integration
10v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
Static analysis | Dynamic analysis
11Dec10
Security scanning framework
12Dec10
Thank you
Software Confidence. Achieved.
Recommended