security testing for testing professionals

Download Security Testing for Testing Professionals

Post on 10-May-2015

386 views

Category:

Technology

0 download

Embed Size (px)

DESCRIPTION

Today’s software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.

TRANSCRIPT

  • rial

    Presentedby:

    JeffPayneC

    Broughttoyouby:

    340CorporateWay,Suite OrangePark,FL320738882

    MFAMTuto4/7/20148:30AM

    SecurityTestingforTestingProfessionals

    overos,Inc

    300,6887709042780524sqeinfo@sqe.comwww.sqe.com

    http://starcanada.techwell.com/
  • Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds eros

    y s

    Jeff Payne Coveros, Inc.

    secure software applications using agile methods. Since its inception in 2008, Covhas become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirtpapers on software development and testing, and testified before Congress on issueof national importance, including intellectual property rights, cyber terrorism, and software quality.

    http://starcanada.techwell.com/sme-profiles/jeff-payne
  • 1 Copyright 2013 Coveros Corporation. All rights reserved.

    Security Testing

    for Test Professional

  • 2 Copyright 2013 Coveros, Inc.. All rights reserved.

    Coveros helps organizations accelerate the delivery of secure, reliable software

    Our consulting services: Agile software development

    Application security

    Software quality assurance

    Software process improvement

    Our key markets: Financial services

    Healthcare

    Defense

    Critical Infrastructure

    Areas of Expertise

    About Coveros

  • 3 Copyright 2013 Coveros, Inc.. All rights reserved.

    Agenda

    Introduction to Security Testing Information security Software security Risk assessment Security testing

    Security Requirements & Planning Functional security requirements Non-functional security requirements Test planning

    Testing for Common Attacks

    Integrating Security Testing into the Software Process

  • 4 Copyright 2013 Coveros, Inc.. All rights reserved.

    Trainer

    Jeffery Payne jeff.payne@coveros.com

    Jeffery Payne is CEO and founder of Coveros, Inc., a software company that

    helps organizations accelerate the delivery of secure, reliable software. Coveros

    uses agile development methods and a proven software assurance framework to

    build security and quality into software from the ground up. Prior to founding

    Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc.

    Under his direction, Cigital became a leader in software security and software

    quality solutions, helping clients mitigate the risk of software failure. Jeffery is a

    recognized software expert and popular speaker at both business and technology

    conferences on a variety of software quality, security, and agile development

    topics. He has also testified before Congress on issues of national importance,

    including intellectual property rights, cyber-terrorism, Software research funding,

    and software quality.

  • 5 Copyright 2013 Coveros, Inc.. All rights reserved.

    Introduction to Security Testing

  • 6 Copyright 2013 Coveros, Inc.. All rights reserved.

    When you hear the term Information Security or

    Security Testing

    What do you think it means?

    What comes to mind?

    What is Information Security?

  • 7 Copyright 2013 Coveros, Inc.. All rights reserved.

    Definition of Information Security

    Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

    The key concepts of Information Security include: Confidentiality

    Integrity

    Availability

    Authenticity

    Non-Repudiation

    What is Information Security?

  • 8 Copyright 2013 Coveros, Inc.. All rights reserved.

    The Software Security Problem

    Our IT systems are not castles any longer!

  • 9 Copyright 2013 Coveros, Inc.. All rights reserved.

    Why Software Security is Important

  • 10 Copyright 2013 Coveros, Inc.. All rights reserved.

    How to Define Security Risk in Software

    Understanding Risk

    Common Security Nomenclature Risk: a possible future event which, if it occurs, will lead to an

    undesirable outcome

    Threat: A potential cause of an undesirable outcome

    Asset: Data, application, network, physical location, etc. that a threat may wish to access, steal, destroy, or deny others access to

    Vulnerability: Any weakness, administrative process, or act of physical exposure that makes an information asset susceptible to exploit by a threat.

    An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.

    Attack: the approach taken by a threat to exploit a vulnerability Denial of service, spoofing, tampering, escalation of privilege

  • 11 Copyright 2013 Coveros, Inc.. All rights reserved.

    Risk Assessment

    A risk assessment is commonly carried out by a team of people who have subject area knowledge of the business and product. Members of the team provide a qualitative analysis based on informed opinion of threats that will later be used in a more quantitative analysis.

    The team should also define what is an acceptable amount of risk that the organization can assume. We assume we cant identify all risks nor eliminate them; this is often referred to as residual risk.

    Understanding Risk

  • 12 Copyright 2013 Coveros, Inc.. All rights reserved.

    Risk Assessment

    Break into teams of 2-3 people.

    Each team will identify potential threats to a software application described on the next slide.

    Who would want to compromise this application?

    What assets would they be after if they did?

    Once each threat is identified, provide impact and likelihood ratings (High, Medium, Low) for each threat.

    Justify your answers

    Exercise Time Limit: 15 Minutes

    Exercise

  • 13 Copyright 2013 Coveros, Inc.. All rights reserved.

    Your company, SecureTelco, has developed an instant messaging program to be used for private use in customers homes and for companies and government agencies.

    SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private.

    Users have the ability to add/remove friends from their contact list, search for friends based on their email, block users from IMing them, become invisible to all users on demand.

    Messages archives and activities logs document user behavior and can be retrieved by the user or a SecreTelco Administrator through the application or by the administrative console, respectively.

    Risk Assessment

    Exercise

  • 14 Copyright 2013 Coveros, Inc.. All rights reserved.

    Risk Assessment Questions

    Business / Mission Motivation

    What is the importance/criticality of the system?

    What assets exist in the system?

    What is the impact if C, I, A principles violated?

    User Capabilities and Exposure

    How is access different for user roles?

    What operations can each performed by different users?

    Threat Motivation

    Why might someone attack the system?

    Who might want to attack? (insiders, outsiders)

    What might attackers accomplish?

    Whats the cost of failure?

    Exercise

  • 15 Copyright 2013 Coveros, Inc.. All rights reserved.

    Threats to system Assets of interest

    Exercise Results

  • 16 Copyright 2013 Coveros, Inc.. All rights reserved.

    What? How?

    Security Testing is testing used to determine whether an information system protects its data from its threats.

    Security Testing is not a silver bullet for your enterprise

    security. Security Testing doesnt fix your security, it only

    makes you aware of it. Security must be built into your

    software

    A sound Security Testing process performs testing activities:

    Before development begins

    During requirements definition and software design

    During implementation

    During deployment

    During maintenance and operations

    Security Testing

  • 17 Copyright 2013 Coveros, Inc.. All rights reserved.

    Provides a level of confidence that your system performs securely within specifications.

    Security Testing is a preventative way to find small issues before they become big, expensive ones.

    The 2007 CSI Computer Crime and Security Survey performed an analysis of the average cost of a web security breach. The average loss reported in the survey was $350,424.

    Security Testing ensures that people in your organization understand and obey security policies.

    If involved right from the first phase of system development life cycle, security testing can help eliminate flaws in the design and implementation of the system.

    Why is it important?

    Security Testing

  • 18 Copyright 2013 Coveros, Inc.. All rights reserved.

    Major goals of security testing

    Test the security features of a system

    Test the security properties of a system

    Test whe