Security Testing for Testing Professionals

TM Half-day Tutorials

5/6/2014 1:00:00 PM

Security Testing for Testing

Professionals

Presented by:

Jeff Payne

Coveros, Inc.

Brought to you by:

340 Corporate Way, Suite 300, Orange Park, FL 32073

888-268-8770 904-278-0524 [email protected] www.sqe.com

Jeff Payne Coveros, Inc.

Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality.

1 Copyright 2013 Coveros Corporation. All rights reserved.

Security Testing

for Testing Professional

2 Copyright 2013 Coveros, Inc.. All rights reserved.

Trainer

Jeffery Payne [email protected]

Twitter: @jefferyepayne

Jeffery Payne is CEO and founder of Coveros, Inc., a software company that

helps organizations accelerate the delivery of secure, reliable software. Coveros

uses agile development methods and a proven software assurance framework to

build security and quality into software from the ground up. Prior to founding

Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc.

Under his direction, Cigital became a leader in software security and software

quality solutions, helping clients mitigate the risk of software failure. Jeffery is a

recognized software expert and popular speaker at both business and technology

conferences on a variety of software quality, security, and agile development

topics. He has also testified before Congress on issues of national importance,

including intellectual property rights, cyber-terrorism, Software research funding,

and software quality.

3 Copyright 2013 Coveros, Inc.. All rights reserved.

Coveros helps organizations accelerate the delivery of secure, reliable software

Our consulting services: Agile software development

Application security

Software quality assurance

Software process improvement

Our key markets: Financial services

Healthcare

Defense

Critical Infrastructure

Areas of Expertise

About Coveros

4 Copyright 2013 Coveros, Inc.. All rights reserved.

Agenda

Introduction to Security Testing Information security Software security Risk assessment Security testing

Security Requirements & Planning Functional security requirements Non-functional security requirements Test planning

Testing for Common Attacks

Integrating Security Testing into the Software Process

5 Copyright 2013 Coveros, Inc.. All rights reserved.

Introduction to Security Testing

6 Copyright 2013 Coveros, Inc.. All rights reserved.

When you hear the term Information Security

What do you think it means?

What comes to mind?

What is Information Security?

7 Copyright 2013 Coveros, Inc.. All rights reserved.

Definition of Information Security

Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

The key concepts of Information Security include: Confidentiality

Integrity

Availability

Authenticity

Non-Repudiation

What is Information Security?

8 Copyright 2013 Coveros, Inc.. All rights reserved.

The Software Security Problem

Our IT systems are not castles any longer!

9 Copyright 2013 Coveros, Inc.. All rights reserved.

Why Software Security is Important

RISK IS

EVERYWHERE!

10 Copyright 2013 Coveros, Inc.. All rights reserved.

Common Security Nomenclature

Understanding Risk

Risk: a possible future event which, if it occurs, will lead to an undesirable outcome

Threat: A potential cause of an undesirable outcom

Asset: Data, application, network, physical location, etc. that a threat may wish to

access, steal, destroy, or deny others access to

Vulnerability: Any weakness, administrative process, or act of physical exposure

that makes an information asset susceptible to exploit by a threat.

An exploit is a piece of software, a chunk of data, or sequence of commands that

takes advantage of a vulnerability in order to cause unintended or unanticipated

behavior to occur on computer software, hardware, or something electronic.

Attack: the approach taken by a threat to exploit a vulnerability

Denial of service, spoofing, tampering, escalation of privilege

11 Copyright 2013 Coveros, Inc.. All rights reserved.

Risk Assessment

A risk assessment is commonly carried out by a team of people who have subject area knowledge of the business / product and information security

Possible connections between identified threats and system assets are examined and the risk of exposure is determined:

Impact: the consequence of an asset being exposed

Likelihood: the likelihood that a threat can compromise an asset

Residual risks are those that have been deemed acceptable and are not mitigated

Risk assessment is a process not a one time activity

Understanding Risk

12 Copyright 2013 Coveros, Inc.. All rights reserved.

Business Risk: Loss of Customer Trust

Professional hacker is able to access bank account information for all

banking customers due to poor authentication mechanisms in the on-

line banking application

Business impacts $: High Impact as an estimated that 20% of

reserves will be taken out of bank by customers if hack is revealed

Likelihood: High Likelihood as appropriate authentication

mechanisms are not built into the banking application

Technical Risk: Lack of Authentication Mechanisms

Inadequate use of

Examples of Risks

Understanding Risk

13 Copyright 2013 Coveros, Inc.. All rights reserved.

Identifying Threats and Assets

Break into teams of 2-3 people.

Each team will identify potential threats, assets, and risks to a software application described on the next slide.

Exercise Time Limit: 15 Minutes

Exercise #1

14 Copyright 2013 Coveros, Inc.. All rights reserved.

Your company, SecureTelco, has developed an instant messaging program to be used by corporations and government agencies to chat securely about sensitive subjects

SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private.

Users have the ability to add/remove friends from their IM list, search for friends based on their email, block users from IMing them, become invisible to all users on demand.

Messages archives and activities logs document user behavior and can be retrieved by the user or a SecreTelco Administrator through the application or by the administrative console, respectively.

Software Application

Exercise #1 Identifying Threats, Assets, Risks

15 Copyright 2013 Coveros, Inc.. All rights reserved.

Questions to answer

Threats

What threats exist for this application?

I.e. who might want to compromise it?

Which of the threats youve identified are the highest priority to protect the system against and why?

Assets

What important information resides within this application that would motivate a threat to try and compromise it?

Which of the assets youve identified are the highest priority to protect and why?

Business Risks

If a particular threat is able to access an asset, what is the business consequence in $$$$?

Exercise #1 Identifying Threats, Assets, Risks

16 Copyright 2013 Coveros, Inc.. All rights reserved.

Threats to system

(H/M/L)

Business Risks Assets of interest

(H/M/L)

Exercise Results

17 Copyright 2013 Coveros, Inc.. All rights reserved.

Security Testing is testing used to determine whether an information system protects its assets from its threats.

Security Testing is not a silver bullet for your enterprise

security. Security Testing doesnt fix your security, it only

makes you aware of it. Security must be built into your

software

A sound Security Testing process performs testing activities:

Before development begins

During requirements definition and software design

During implementation

During deployment

During maintenance and operations

Security Testing

18 Copyright 2013 Coveros, Inc.. All rights reserved.

Provides a level of confidence that your system performs securely within specifications.

Security Testing is a preventative way to find small issues before they become big, expensive ones.

The 2007