software confidence. achieved. dec101 automated security testing a case study of agile sdlc...

12
Software Confidence. Achieved Dec10 1 Automated Security Testing A case study of Agile SDLC integration www.cigital.com Frank Hurley Aravind Venkataraman Sagar Dongre

Upload: amie-ray

Post on 11-Jan-2016

214 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

Software Confidence. Achieved.

Dec10 1

Automated Security TestingA case study of Agile SDLC integration

www.cigital.comFrank HurleyAravind VenkataramanSagar Dongre

Page 2: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

Outline

QA testing vs. Security testing Cigital services Software Security program Security testing Security testing framework

2v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.

Page 3: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

QA testing vs. Security testing

3v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.

QA testing Checks that app does what it’s supposed to do Meets stated business requirements(!)

Test cases derived from requirements Positive/negative test cases Test coverage (RTM)

Ensure app doesn’t break/crash/etc Many unstated requirements Exploratory testing

Normal, expected use Corner cases, but within what a user might do

Page 4: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

QA testing vs. Security testing

4v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.

Security testing Checks that app does not do what it’s not supposed to Requirement is implied… not in business

requirements. Malicious erroneous user input

URL tampering Bypassing Javascript

Ensure doesn’t break/crash/etc Crash = potential exploit

Misuse/Abuse cases Actions system should prevent

Page 5: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

5Dec10

Software Assurance services

Software Security Secure design Secure coding Security testing Continuous integration

Software Quality Agile testing Test automation Continuous integration Test process improvement

Page 6: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

Software Assurance services at a client

Security scanning platform Security code review Security testing Continuous integration

Quality assurance Agile testing Test automation Continuous integration

6Dec10

Page 7: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

7Dec10

Building Security into SDLC

Page 8: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

8v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.

Software Security program

Page 9: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

9Dec10

Static analysis | Dynamic analysis

Code review Bug patterns in code Coding defects Quality/Reliability defects

Automation “HP Fortify” Think “CheckStyle, PMD” “Ant, Maven” integration

Penetration testing Security test injection Configuration defects Exploit proof-of-concepts

Automation “IBM Appscan”` Think “QTP, WinRunner” “QualityCenter” integration

Page 10: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

10v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.

Static analysis | Dynamic analysis

Page 11: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

11Dec10

Security scanning framework

Page 12: Software Confidence. Achieved. Dec101 Automated Security Testing A case study of Agile SDLC integration  Frank Hurley Aravind Venkataraman

12Dec10

Thank you

Software Confidence. Achieved.