Conference Presentations

Security Testing: The Foundations and More

Your organization is doing well with functional, usability, and performance testing. However, you know that software security is a key part of your assurance and compliance strategy for protecting applications and critical data. Left undiscovered, security-related defects can wreak havoc in a system when malicious invaders attack. If you don’t know where to start with security testing and don’t know what you are looking for, this session is for you. Alan Crouch describes how to get started with security testing, introducing foundational security testing concepts and showing you how to apply those security testing concepts with free and commercial tools and resources. Offering a practical risk-based approach, Alan discusses why security testing is important, how to use security risk information to improve your test strategy, and how to add security testing into your software development lifecycle.

Alan Crouch, Coveros, Inc.
Building Secure Applications

The Internet is full of insecure applications that cost organizations money and time, while damaging their reputations when their systems are compromised. We need to build secure applications as never before, but most developers are not now-and never will be-security specialists. By incorporating security controls into the frameworks used to create applications, Tom Stiehm asserts that any organization can imbue security into its applications. Building security into a framework allows highly specialized security experts to create components that maximize your application security profile while reducing the need for your development teams to have specialized application security knowledge. Learn to pick the right places in your framework to insert security controls and then enforce their use. Join Tom to explore real-world security controls he's applied to commonly used application frameworks.

Thomas Stiehm, Coveros, Inc.
Mobile Applications Security

Mobile applications enable millions of users to have more fun, be more productive, and interact with their world in more ways than ever before. Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This diversity of architectures presents a huge challenge to ensure that applications meet security requirements, such as confidentiality and integrity. Targeted at beginners in the mobile development space, Scott Matsumoto introduces the basics of mobile applications-deployment, digital rights management, and the cellular network-and then addresses popular security attack vectors that hackers exploit. Scott explores the mobile threat model you must consider when developing mobile business applications.

Scott Matsumoto, Cigital
Can You Hear Me Now? Yes...and Everyone Else Can Too

Mobile devices-connected to the world through the Internet, web, networks, and messaging-are everywhere and expanding rapidly in numbers, functionality, and, unfortunately, security threats. Not too many years ago, little attention was paid to mobile device security. Now, we hear reports almost daily of phone emails/messages being hacked, apps with worms, phishing via smart devices, and smart device fraud. People often have their records, personal data, and financial records on or accessible by the mobile device. In addition, organizations are using these devices to conduct critical business. Jon Hagar shares and analyzes case histories and examples of mobile application security failures. Based on this analysis, Jon summarizes these attacks and describes how to expose security bugs within these devices.

Jon Hagar, Consultant
Implementing a Security-focused Development Lifecycle

Assaults against digital assets are unquestionably on the rise. If you create applications that handle valuable assets, your code WILL be attacked. In addition to lost revenue and productivity, the consequences of compromised systems can include loss of trust, a tarnished reputation, and legal problems. Much like quality assurance, it’s important to have a holistic approach to security that unifies people, process, and technology. Cassio Goldschmidt introduces defense techniques that measurably reduce the number and severity of software vulnerabilities. These include secure coding techniques, minimizing the use of unsafe functions, use of compiler and linker security options, and specialized static analysis tools. Enrich your development lifecycle with threat modeling, security code review, penetration testing, and vulnerability management.

Cassio Goldschmidt, Symantec Corporation
Risk Identification, Analysis, and Mitigation in Agile Environments

Although risk identification, analysis, and mitigation are critically important parts of any software project effort, agile projects require non-traditional techniques that are much quicker and easier to use than classical risk techniques. James McCaffrey focuses-not on theory-but on realistic risk analysis methods agile teams can readily implement with lightweight tools. James explains and demonstrates how you can employ taxonomy and storyboarding methods to recognize project meta-risks and identify product risks throughout the development lifecycle. Using “central moment” and “PERIL” techniques, you'll learn to analyze these risks and develop management and mitigation strategies dynamically, while the project is underway.

James McCaffrey, Volt VTE
Mobile Challenges for Project Management: The Project Factors

Developing software for mobile apps requires a different mindset from developing for computers. Some concepts transfer directly, but there are many device-related challenges managers must overcome. In part one of this two-part series on mobile challenges, Jonathan Kohl addresses some of the project factors managers should take into account during mobile application development.

Jonathan Kohl's picture Jonathan Kohl
Web Security Testing with Ruby

To ensure the quality and safety of Web applications, security testing is a necessity. So, how do you cover all the different threats-SQL injection, cross-site scripting, buffer overflow, and others? James Knowlton explains how Ruby combined with Watir-both freely available-makes a great toolset for testing Web application security. Testing many common security vulnerabilities requires posting data to a Web server via a client, exactly what Watir does. The Ruby side of Watir, a full-function programming language, provides the tools for querying the database, checking audit logs, and other test-related processing. For example, you can use Ruby to generate random data or large datasets to throw at a Web application. James describes common security attacks and demonstrates step-by-step examples of testing these attack types with Ruby and Watir.

James Knowlton, McAfee, Inc.
STAREAST 2010: Tour-based Testing: The Hacker's Landmark Tour

Growing application complexity, coupled with the exploding increase in application surface area, has resulted in new quality challenges for testers. Some test teams are adopting a tour-based testing methodology because it’s incredibly good at breaking down testing into manageable chunks. However, hackers are paying close attention to systems and developing new targeted attacks to stay one step ahead. Rafal Los takes you inside the hacker’s world, identifying the landmarks hackers target within applications and showing you how to identify the defects they seek out. Learn what “landmarks” are, how to identify them from functional specifications, and how to tailor negative testing strategies to different landmark categories.

Rafal Los, Hewlett-Packard
You Can't Test Quality into Your Systems

Many organizations refer to their test teams and testers as QA departments and QA engineers. However, because errant systems can damage-even destroy-products and businesses, software quality must be the responsibility of the entire development team and every stakeholder. As the ones who find and report defects, and sometimes carry the “quality assurance” moniker, the test community has a unique opportunity to take up the cause of error prevention as a priority. Jeff Payne paints a picture of team and organization-wide quality assurance that is not the process-wonky, touchy, feely QA of the past that no one respects. Rather, it's tirelessly evaluating the software development artifacts beyond code; it’s measuring robustness, reliability, security, and other attributes that focus on product quality rather than process quality; it’s using risk management to drive business decisions around quality; and more.

Jeffery Payne, Coveros, Inc.

Pages

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.