Software Security Primer
Download
Report
Transcript Software Security Primer
Automated Security Testing
A case study of Agile SDLC integration
Software Confidence. Achieved.
Frank Hurley
Aravind Venkataraman
Sagar Dongre
www.cigital.com
Dec10
1
Outline
QA testing vs. Security testing
Cigital services
Software Security program
Security testing
Security testing framework
Copyright 2009 Cigital, Inc. Proprietary and Confidential.
v1.2 Oct09
2
QA testing vs. Security testing
QA testing
Checks that app does what it’s supposed to do
Meets stated business requirements(!)
Test cases derived from requirements
Positive/negative test cases
Test coverage (RTM)
Ensure app doesn’t break/crash/etc
Many unstated requirements
Exploratory testing
Normal, expected use
Corner cases, but within what a user might do
Copyright 2009 Cigital, Inc. Proprietary and Confidential.
v1.2 Oct09
3
QA testing vs. Security testing
Security testing
Checks that app does not do what it’s not supposed to
Requirement is implied… not in business
requirements.
Malicious erroneous user input
URL tampering
Bypassing Javascript
Ensure doesn’t break/crash/etc
Crash = potential exploit
Misuse/Abuse cases
Actions system should prevent
Copyright 2009 Cigital, Inc. Proprietary and Confidential.
v1.2 Oct09
4
Software Assurance services
Software Security
Secure design
Secure coding
Security testing
Continuous integration
Software Quality
Agile testing
Test automation
Continuous integration
Test process improvement
Dec10
5
Software Assurance services at a client
Security scanning platform
Security code review
Security testing
Continuous integration
Quality assurance
Agile testing
Test automation
Continuous integration
Dec10
6
Building Security into SDLC
Dec10
7
Software Security program
Copyright 2009 Cigital, Inc. Proprietary and Confidential.
v1.2 Oct09
8
Static analysis | Dynamic analysis
Code review
Bug patterns in code
Coding defects
Quality/Reliability defects
Penetration testing
Security test injection
Configuration defects
Exploit proof-of-concepts
Automation
“HP Fortify”
Think “CheckStyle, PMD”
“Ant, Maven” integration
Automation
“IBM Appscan”`
Think “QTP, WinRunner”
“QualityCenter” integration
Dec10
9
Static analysis | Dynamic analysis
Copyright 2009 Cigital, Inc. Proprietary and Confidential.
v1.2 Oct09
10
Security scanning framework
Dec10
11
Thank you
Software Confidence. Achieved.
Dec10
12