Click here to load reader
View
168
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Today’s software applications are often security critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications, and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
TM Half-day Tutorials
5/6/2014 1:00:00 PM
Security Testing for Testing
Professionals
Presented by:
Jeff Payne
Coveros, Inc.
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073
888-268-8770 904-278-0524 [email protected] www.sqe.com
Jeff Payne Coveros, Inc.
Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality.
1 Copyright 2013 Coveros Corporation. All rights reserved.
Security Testing
for Testing Professional
2 Copyright 2013 Coveros, Inc.. All rights reserved.
Trainer
Jeffery Payne [email protected]
Twitter: @jefferyepayne
Jeffery Payne is CEO and founder of Coveros, Inc., a software company that
helps organizations accelerate the delivery of secure, reliable software. Coveros
uses agile development methods and a proven software assurance framework to
build security and quality into software from the ground up. Prior to founding
Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc.
Under his direction, Cigital became a leader in software security and software
quality solutions, helping clients mitigate the risk of software failure. Jeffery is a
recognized software expert and popular speaker at both business and technology
conferences on a variety of software quality, security, and agile development
topics. He has also testified before Congress on issues of national importance,
including intellectual property rights, cyber-terrorism, Software research funding,
and software quality.
3 Copyright 2013 Coveros, Inc.. All rights reserved.
Coveros helps organizations accelerate the delivery of secure, reliable software
Our consulting services: Agile software development
Application security
Software quality assurance
Software process improvement
Our key markets: Financial services
Healthcare
Defense
Critical Infrastructure
Areas of Expertise
About Coveros
4 Copyright 2013 Coveros, Inc.. All rights reserved.
Agenda
Introduction to Security Testing Information security Software security Risk assessment Security testing
Security Requirements & Planning Functional security requirements Non-functional security requirements Test planning
Testing for Common Attacks
Integrating Security Testing into the Software Process
5 Copyright 2013 Coveros, Inc.. All rights reserved.
Introduction to Security Testing
6 Copyright 2013 Coveros, Inc.. All rights reserved.
When you hear the term Information Security
What do you think it means?
What comes to mind?
What is Information Security?
7 Copyright 2013 Coveros, Inc.. All rights reserved.
Definition of Information Security
Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The key concepts of Information Security include: Confidentiality
Integrity
Availability
Authenticity
Non-Repudiation
What is Information Security?
8 Copyright 2013 Coveros, Inc.. All rights reserved.
The Software Security Problem
Our IT systems are not castles any longer!
9 Copyright 2013 Coveros, Inc.. All rights reserved.
Why Software Security is Important
RISK IS
EVERYWHERE!
10 Copyright 2013 Coveros, Inc.. All rights reserved.
Common Security Nomenclature
Understanding Risk
Risk: a possible future event which, if it occurs, will lead to an undesirable outcome
Threat: A potential cause of an undesirable outcom
Asset: Data, application, network, physical location, etc. that a threat may wish to
access, steal, destroy, or deny others access to
Vulnerability: Any weakness, administrative process, or act of physical exposure
that makes an information asset susceptible to exploit by a threat.
An exploit is a piece of software, a chunk of data, or sequence of commands that
takes advantage of a vulnerability in order to cause unintended or unanticipated
behavior to occur on computer software, hardware, or something electronic.
Attack: the approach taken by a threat to exploit a vulnerability
Denial of service, spoofing, tampering, escalation of privilege
11 Copyright 2013 Coveros, Inc.. All rights reserved.
Risk Assessment
A risk assessment is commonly carried out by a team of people who have subject area knowledge of the business / product and information security
Possible connections between identified threats and system assets are examined and the risk of exposure is determined:
Impact: the consequence of an asset being exposed
Likelihood: the likelihood that a threat can compromise an asset
Residual risks are those that have been deemed acceptable and are not mitigated
Risk assessment is a process not a one time activity
Understanding Risk
12 Copyright 2013 Coveros, Inc.. All rights reserved.
Business Risk: Loss of Customer Trust
Professional hacker is able to access bank account information for all
banking customers due to poor authentication mechanisms in the on-
line banking application
Business impacts $: High Impact as an estimated that 20% of
reserves will be taken out of bank by customers if hack is revealed
Likelihood: High Likelihood as appropriate authentication
mechanisms are not built into the banking application
Technical Risk: Lack of Authentication Mechanisms
Inadequate use of
Examples of Risks
Understanding Risk
13 Copyright 2013 Coveros, Inc.. All rights reserved.
Identifying Threats and Assets
Break into teams of 2-3 people.
Each team will identify potential threats, assets, and risks to a software application described on the next slide.
Exercise Time Limit: 15 Minutes
Exercise #1
14 Copyright 2013 Coveros, Inc.. All rights reserved.
Your company, SecureTelco, has developed an instant messaging program to be used by corporations and government agencies to chat securely about sensitive subjects
SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private.
Users have the ability to add/remove friends from their IM list, search for friends based on their email, block users from IMing them, become invisible to all users on demand.
Messages archives and activities logs document user behavior and can be retrieved by the user or a SecreTelco Administrator through the application or by the administrative console, respectively.
Software Application
Exercise #1 Identifying Threats, Assets, Risks
15 Copyright 2013 Coveros, Inc.. All rights reserved.
Questions to answer
Threats
What threats exist for this application?
I.e. who might want to compromise it?
Which of the threats youve identified are the highest priority to protect the system against and why?
Assets
What important information resides within this application that would motivate a threat to try and compromise it?
Which of the assets youve identified are the highest priority to protect and why?
Business Risks
If a particular threat is able to access an asset, what is the business consequence in $$$$?
Exercise #1 Identifying Threats, Assets, Risks
16 Copyright 2013 Coveros, Inc.. All rights reserved.
Threats to system
(H/M/L)
Business Risks Assets of interest
(H/M/L)
Exercise Results
17 Copyright 2013 Coveros, Inc.. All rights reserved.
Security Testing is testing used to determine whether an information system protects its assets from its threats.
Security Testing is not a silver bullet for your enterprise
security. Security Testing doesnt fix your security, it only
makes you aware of it. Security must be built into your
software
A sound Security Testing process performs testing activities:
Before development begins
During requirements definition and software design
During implementation
During deployment
During maintenance and operations
Security Testing
18 Copyright 2013 Coveros, Inc.. All rights reserved.
Provides a level of confidence that your system performs securely within specifications.
Security Testing is a preventative way to find small issues before they become big, expensive ones.
The 2007