|
Oh, When Will They Ever Learn? After reading the book The Day the Phones Stopped, which was published in 1991, Lee began wondering why the poor software quality and complaints about development and testing documented in this book are the same complaints we hear today.
|
|
|
Risk-based Testing in Action Risk-based testing allows project teams to focus their limited test efforts on the areas of the product that really matter, based on the likelihood of bugs in those areas and the impact of bugs should they exist. By using risk priority to sequence test cases and allocate test effort, test teams can also increase their chances of finding bugs in priority order and allow for risk-based test triage if necessary.
|
|
|
Integrating Security Testing into Your Process Software quality is a priority for most organizations, yet many are still struggling to handle the volume of testing. Unfortunately, applications are frequently released with significant security risks. Many organizations rely on an overburdened security team to test applications late in development when fixes are the most costly, while others are throwing complex tools at test teams expecting the testers to master security testing with no formal processes and training. Danny Allan describes five steps to integrate security testing into the software development lifecycle. Danny shows how highly secure and compliant software applications begin with security requirements and include design, development, build, quality assurance, and transitional practices.
|
Danny Allan, IBM Rational
|
|
STARWEST 2008: Automating Security Testing with cUrl and Perl Although all teams want to test their applications for security, our plates are already full with functional tests. What if we could automate those security tests? Fortunately, most Web-based and desktop applications submit readily to automated testing. Paco Hope explores two flexible, powerful, and totally free tools that can help to automate security tests. cUrl is a free program that issues automatic basic Web requests; Perl is a well-known programming language ideally suited for writing test scripts. Paco demonstrates the basics of automating tests using both tools and then explores some of the more complicated concerns that arise during automation-authentication, session state, and parsing responses. He then illustrates simulated malicious inputs and the resulting outputs that show whether the software has embedded security problems.
|
Paco Hope, Cigital
|
|
Beyond Functional Testing: On to Conformance and Interoperability Although less well known than security and usability testing, conformance and interoperability testing are just as important. Even though conformance and interoperability testing-about standards and thick technical specifications documents-may seem dull, Derk-Jan De Grood believes that these testing objectives can be interesting and rewarding if you approach them the right way. SOA is one example in which numerous services must interact correctly with one another-conform to specs-to implement a system. Conformance and interoperability testing ensures that vendors' scanners can read your badge in the EXPO and that your bank card works in a foreign ATM. Derk-Jan explains important concepts of interface standards and specifications and discusses the varied test environments you need for this type of testing. Get insight into the problems you must overcome when you perform conformance and interoperability testing.
|
Derk-Jan Grood, Collis
|
|
Fuzzing: New Tests for Robustness and Security Traditional security measures are doomed to fail because they are focused only on defending against known attacks-and studies show that more than 80 percent of software will likely crash when extensive negative testing is employed. Fuzzing is a new, proactive technique for discovering security vulnerabilities and robustness issues in software. Although fuzz testing is most often based on some form of syntax checking, random input testing also can be appropriate. Fuzzing is valuable during development when application testers use the technique to surface issues and in production when security testers use it for audits. Any type of system can be fuzz tested-from enterprise solutions to consumer products such as mobile phones and set-top TV cable boxes. Ari Takanen discusses the origins of fuzzing, explains the different technologies used by fuzzers, and identifies current fuzzing tools, their uses and limitations.
|
Ari Takanen, Codenomicon Ltd.
|
|
Better Software Conference & EXPO 2008: Automating Security Testing with cUrl and Perl Although all teams want to test their applications for security, our plates are already full with functional tests. What if we could automate those security tests? Fortunately, most Web-based and desktop applications submit readily to automated testing. Paco Hope explores two flexible, powerful, and totally free tools that can help to automate security tests. cUrl is a free program that issues automatic basic Web requests; Perl is a well-known programming language ideally suited for writing test scripts. Paco demonstrates the basics of automating tests using both tools and then explores some of the more complicated concerns that arise during automation-authentication, session state, and parsing responses. He then illustrates simulated malicious inputs and the resulting outputs that show whether the software has embedded security problems.
|
Paco Hope, Cigital
|
|
Software Security Assessment: The Naked Truth With software running our most critical business processes, we need to think about both its utility and the risk it can add to those processes. Hugh Thompson describes some of the best current techniques to efficiently assess software security risk. Hugh identifies the biggest risks to your software systems, presents the major categories of security vulnerabilities with their business consequences, and how you can begin an effective software risk assessment process. Specifically, Hugh discusses the 17 critical questions to ask vendors, software component suppliers, and software-as-a-service (SaaS) providers about their product before you commit to using it. He describes how to benchmark your own software security practices, the top application security flaws that put your business at risk and their symptoms. You'll also learn to make more security-savvy software acquisition, development, and outsourcing decisions.
|
Herbert Thompson, Peoples Security
|
|
Finding Backdoor Threats with Static Analysis According to research from Gartner, 75% of all new security attacks are against applications and 90% of all vulnerabilities reside within software. However, enterprise IT security continues to be concentrated on the network to protect the perimeter from external attack rather than detecting vulnerabilities on the inside. In some of the world's largest businesses, there's evidence that malicious users may be deliberately leaving "backdoor" vulnerabilities to be exploited later when applications are put into full production. Methods are available to detect backdoors in your software, with static analysis as the most effective technique available. Chris Wysopal explains the technology and benefits of binary and source code static analysis and presents various techniques for inspecting software for backdoors along with the pros and cons of each method.
|
Chris Wysopal, Veracode
|
|
Client-Side Attacks: The New Vulnerability Historically, we have focused on server-side security vulnerabilities rather than their client-side counterparts. As cybercrime continues to evolve, the sophistication of client-side attacks is increasing and the severity of these vulnerabilities is growing. The advent of phishing and efforts to create botnet armies have exploded in recent years due to their profit potential. Client-side issues such as vulnerabilities in Web browsers and file corruption have become the facilitators, which make these attacks possible. Matt Fisher demonstrates examples in which client-side vulnerabilities have been leveraged for criminal gain. Matt walks through typical attack scenarios to help you better understand how these attacks succeed-and how you can combat them. He'll also peer into his crystal ball in an attempt to anticipate how such attacks will evolve in the future.
- Vulnerabilities in Web browsers and how to combat them
|
Matt Fisher, Hewlett-Packard
|