|
|
Security Nirvana - Combining Source Code Scanning and Penetration Testing Penetrate and Patch. That's the unspoken model that many software development teams have been following for the past several years: build it, and when a security problem is found, then scurry around to patch it. We now know that the cost of building software this way is orders of magnitude more expensive than ingraining security throughout the development lifecycle. Ady Kakrania walks through the process of building security into your development process from the design phase and continuing good software security practices post-deployment. Learn about synergistically using tools like source code scanners to find dangerous functions and structures along with post-deployment penetration testing to dramatically reduce costs and shore-up your application's security.
|
Ady Kakrania, Security Innovation LLC
|
|
|
Open SourceTest Automation Frameworks Open source software has come a long way in the past few years. However, for automated testing there still are not many ready-made solutions. Testers often must spend their time working on test cases rather than working on a test automation framework. Allen Hutchison describes the elements of an automated test framework and demonstrates a framework that you can quickly assemble from several open source software tools. He then explains how to put the pieces together with a scripting language such as Perl. Once you build the framework, you can improve and reuse it in future test projects. At the end of the presentation, Google will release the described framework as a new open source project that you can begin using immediately.
|
Allen Hutchison, Google
|
|
|
Let's End the Defect Report-Fix-Check-Rework-Cycle Find out how teams transitioning to Agile practices must re-think their workflows and project metrics originally designed to handle many hundreds of defect reports that occur in typical testlast development cycles. Richard Leavitt discusses how a real-world implementation of key practices like early testing and continual integration-though not without bumps and bruises-lowered the number of open defect reports by an order of magnitude. These practices also can improve how the team communicates, reduce delays, and provide more direct measures of project status, feature progress, and release readiness.
|
Richard Leavitt, Rally Software Development
|
|
|
Journey to Test Automation Maturity Organizations that want to automate their testing generally go through a number of stages before they reach maturity. Whether you are about to begin your journey or are well under way, it is important to know where you are going and where you could go. In automating test execution, many organizations stop short of achieving their maximum benefits. This presentation looks at six levels of maturity in test automation and includes a self-assessment test to see where you are. It is important to have good objectives and realistic plans to achieve them. But in automating testing, these often seem very plausible at first but are not well expressed or are unrealistic. This presentation covers typical problems and examples of unrealistic automation plans and objectives. Leave with advice to help you have a successful journey to test automation.
|
Dorothy Graham, Grove Consultants
|
|
|
Risk: The Testers Favorite Four Letter Word Identifying risk is important-but managing risk is vital. Good project managers speak the language of risk, and their understanding of risk guides important decisions. Testers can contribute to an organization's decision making ability by speaking that same language. Learn from Julie Gardiner how to evaluate risk in both quantitative and qualitative ways. Julie will discuss how to deal with some of the misconceptions managers have about risk-based testing including: Testing is always risk-based. Risk-based testing is nothing more than prioritizing tests. Risk-based testing is a one-time-only activity. Risk-based testing is a waste of time. And risk-based testing will delay the project.
|
Julie Gardiner, QST Consultants Ltd.
|
|
|
Project Retrospectives At the rate Web vulnerabilities are being discovered and exploited, the security industry cannot afford to continue trying to keep up with patches and fixes. Cross-site scripting, SQL injection, command injection-attacks like these result from vulnerabilities in inadequately designed or written code, creating opportunities for attackers to threaten privacy and steal data. The only way to truly eliminate these vulnerabilities is to address them at their origin-in the source code itself. The critical sources of threats in an application come from coding errors, configuration issues, and design flaws. Using actual security failures, Daniel Hestad describes the dirty baker's dozen code-based vulnerabilities found in Web software. Learn to locate, understand, and eliminate these vulnerabilities before they present untold risks to your organization.
|
Lucille Parnes, Software Process Improvement Consultant
|
|
|
Building a Requirements Foundation with Customer Interviews Whether you are building a brand new product or evolving an existing system, understanding the business needs of your customers is the foundation of a marketable product or valuable internal application. Few of us are experts in interviewing techniques, and few customers talk about their tasks, needs, and context in neat, concise statements about requirements. Hone your elicitation skills and learn what it takes to get beneath the surface and understand your customers: their world, how they work, and what really bothers them. With effective interviewing techniques and skills, you will get inside their heads and better understand their needs within their context.
|
Esther Derby, Esther Derby Associates Inc
|
|
|
Secure Software is a Management Issue, Too! Development teams are entering a new era of software development. Security will play a critical role because traditional development practices are failing in the face of poor software quality and constant hacker attacks. As a manager, you are under pressure to write more secure, higher quality software while at the same time reducing operational costs. How can you incorporate the latest in software security development practices and stay within mandated budgets? And how do you justify higher budgets in the face of uncertain security risks? Join Djenana Campara for a manager’s view of software security issues. Become more proactive in the treatment of software security vulnerabilities, and help protect your company's core assets from external security threats.
|
Djenana Campara, Klocwork Inc
|
|
|
Develop and Deliver Secure Web-based Systems Gartner Group estimates that three-fourths of today's successful Web attacks do not happen via network security flaws but rather by entering directly through defects in application code. To thwart these attacks, you need to institute security procedures and technologies throughout the development lifecycle. Through a review of recent Web application breaches, Dennis Hurst exposes the methods hackers use to execute break-ins via the Web using security defects in the underlying code. In addition to revealing hacker exploits, Dennis outlines coding practices for developing secure Web applications and describes available automated security code testing tools that can help you protect your systems. After completing this session, you will be well versed in the underlying protocols that allow hackers to exploit Web-based applications and, more importantly, understand how to better protect critical applications throughout development.
|
Dennis Hurst, SPI Dynamics Inc
|
|
|
Controlling Performance Testing in an Uncontrolled World Think about it ... You are responsible for performance testing a system containing over 5 billion searchable documents to an active user base of 2.6 million users, and you are expected to deliver notification of sub-second changes in release response and certification of extremely high reliability and availability. Your n-tier architecture consists of numerous mainframes and large-scale UNIX
servers as well as Intel processor-based servers. The test environment architecture is distributed across large numbers of servers performing shared functions for a variety of products competing for test time and resources during aggressive release cycles. Because it is impractical and too costly to totally isolate systems at this scale, capacity and performance test engineers produce high quality
|
Jim Robinson, LexisNexis
|
