Today’s software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
- 1.TE AM Tutorial 4/30/13 8:30AMSecurity Testing for Testing Professionals Presented by: Jeff Payne Coveros, Inc.Brought to you by:340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 904-278-0524 firstname.lastname@example.org www.sqe.com
2. Jeff Payne Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyberterrorism, and software quality. 3. 9/5/2012Security Testing for Test Professionals Copyright 2011 Coveros, Inc.. All rights reserved.1About CoverosCoveros helps organizations accelerate the delivery of secure, reliable software Our consulting services: Agile software development Application security Software quality assurance Software process improvementCorporate PartnersOur key markets: Financial services Healthcare Defense Critical Infrastructure Copyright 2011 Coveros, Inc.. All rights reserved.21 4. 9/5/2012Agenda Introduction to Security TestingSecurity Testing Framework Appropriate Security Testing Tools Wrap up Copyright 2011 Coveros, Inc.. All rights reserved.3TrainerJeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, Software research funding, and software quality. Copyright 2011 Coveros, Inc.. All rights reserved.42 5. 9/5/2012Expectations What are your expectations for this tutorial? What do you wish to learn? What questions do you want answered? Copyright 2011 Coveros, Inc.. All rights reserved.5Introduction to Security Testing Copyright 2011 Coveros, Inc.. All rights reserved.63 6. 9/5/2012What is Information Security?When you hear the term Information Security and Security Testing: What do you think they mean? What comes to mine? Copyright 2011 Coveros, Inc.. All rights reserved.7What is Information Security? Definition of Information Security Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The key concepts of Information Security include: Confidentiality Integrity Availability Authenticity Non-Repudiation Copyright 2011 Coveros, Inc.. All rights reserved.84 7. 9/5/2012The Software Security Problem Our IT systems are not castles any longer! Copyright 2011 Coveros, Inc.. All rights reserved.9Understanding Risk How to Define Security Risk in Software Common Security Nomenclature Risk: a possible future event which, if it occurs, will lead to an undesirable outcome Threat: A potential cause of an undesirable outcome Vulnerability: Any weakness, administrative process, or act of physical exposure that makes an information asset susceptible to exploit by a threat. An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Copyright 2011 Coveros, Inc.. All rights reserved.105 8. 9/5/2012Security Testing What? How? Security Testing is testing used to determine whether an information system protects its data from its threats. Security Testing is not a silver bullet for your enterprise security. Security Testing doesnt fix your security, it only makes you aware of it. Security must be built into your software A sound Security Testing process performs testing activities: Before development begins During requirements definition and software design During implementation During deployment During maintenance and operations Copyright 2011 Coveros, Inc.. All rights reserved.11Security Testing Framework Copyright 2011 Coveros, Inc.. All rights reserved.126 9. 9/5/2012Security testing before development begins Overview Testing before development begins is really a QA function to assess the readiness of the organization to build secure software applications. Always remember that security testing evaluates the security posture of your applications, it does not build security in. Irrespective of your findings, do not become the quality police. Copyright 2011 Coveros, Inc.. All rights reserved.13Security testing before development begins Review Security Policies and Standards Understand the policies and standards that have been adopted by the organization and their relationship to software security Examples: Privacy policies regarding your customer data Service level agreements with clients IT security standards you must adhere to PCI compliance activities for credit card transactionsYour goal is to understand these policies and standards to the level that will allow you to validate security requirements and effectively test the end product against them Copyright 2011 Coveros, Inc.. All rights reserved.147 10. 9/5/2012Security testing before development begins Review Secure Software Development Lifecycle If the security of your software is an enterprise concern, the development team should be adhering to a defined secure software development lifecycle model. Defines development activities that builds security in Defines security testing activities performed by appropriate parties (development, testing, security org, operations, etc.)Common secure software development models Microsofts Secure Development Lifecycle (SDL) Coveros SecureAgile process There are others as wellSecure software standards Secure coding standard Copyright 2011 Coveros, Inc.. All rights reserved.15Security testing during definition and design Overview Testing activities during requirements definition and software design focus on assuring that security has been effectively integrated into software requirements and the overall architecture and design of the product Typical activities include: Security requirements development/validation Architecture and design reviews Threat modeling Test strategy and planning Copyright 2011 Coveros, Inc.. All rights reserved.168 11. 9/5/2012Security testing during definition and design What is a Security Requirement? Security Requirements describe functional and nonfunctional requirements that need to be satisfied in order to achieve the security attributes of an IT system or application.What does that mean? Security Requirements are formulated at different levels of abstraction and provide how the system should act, and what should not happen. The major difference you may notice is the use of negative requirements. We stop thinking about what the application should do and start thinking about how we can get it to do something it was never intended to. Copyright 2011 Coveros, Inc.. All rights reserved.17Functional Requirements Your Standard Definition Functional Requirements: These are statements of services the system should provide, how the system should react to particular inputs and how the system should behave in particular situations. In some cases, the functional requirements may also have explicitly state what the system should not do.Where does the Security fit in? Each Functional Security Requirement utilizes uses case and misuse cases. These requirements reflect potential threats to the system. Copyright 2011 Coveros, Inc.. All rights reserved.189 12. 9/5/2012Exercise Functional Security Requirements Break into teams of 2-3 people. Each team will identify potential misuse cases with the following security requirement, if any exist. If a misuse case is identified, write a replacement or additional functional requirement(s). It would be best to make sure no misuse cases can be derived from your new requirement(s).Exercise Time Limit: 15 Minutes Copyright 2011 Coveros, Inc.. All rights reserved.19Exercise Functional Security Requirement SecureChat Authentication Requirements When a user attempts to authenticate with a valid username and an invalid password, the application shall not authenticate the user and return them to the authentication page. The system must alert the user that their attempt to authenticate has failed due to an incorrect password (Invalid Password) utilizing the standard error text formatting. When a user attempts to authenticate with a invalid username, the application shall not authenticate the user and return them to the authentication page. The system must alert the user that their attempt to authenticate has failed due to an incorrect username (Invalid Username) utilizing the standard error text formatting. What a user attempts to authenticate using a username and a valid password, the application shall authenticate the user and redirect them to the homepage. Copyright 2011 Coveros, Inc.. All rights reserved.2010 13. 9/5/2012Exercise Functional Security Requirements Discussion How could an attacker attempt to thwart the sys