Conference Presentations

Who is Stealing a Living off Your Web Site?

So, your company makes money from its Web site. Who else might also be doing the same? While the Web is a profitable venture for many companies, it is often equally profitable for hackers and thieves. Due to unknown vulnerabilities of your Web application, hackers may end up with more profit from your Web site than you do. See examples of hacker techniques-SQL injection, format string attacks, session-based attacks-and a host of others. Find out why the current crop of Web testing tools is not sufficient to thwart hackers and will leave you with a false and dangerous sense of security. Learn the skills and techniques you must know to stay ahead of hackers and find security holes in your Web applications.

  • Hidden Web application security vulnerabilities
  • Testing skills and techniques to find security holes and prevent breaches
  • Tools to help you with security testing Web sites
Florence Mottay, Security Innovation LLC
Gotcha!...Security Testing for Mission Critical Applications

A local television station provides a Web service that allows schools and businesses in the area to easily enter information on closures due to bad weather. The information then is displayed as a crawl along the bottom of the television screen. Some kids hack into the site and declare their school closed for the day, and it's immediately shown on everyone's television! It's a cute story. Now let's imagine that these same kids hack the prices on your eCommerce site or obtain access to sensitive customer records on your company Web site. This time the story is not so laughable. Mike Andrews shares his favorite top ten holes in Web site security including "SQL injection" and "cross-site scripting," shows examples of each, and discusses the effects these security breaches can have on your site. Fortunately, the number of attacks is rather small and easy to repair-if you know where to look.

Michael Andrews, Florida Institute of Technology
A Strategic Approach - "Beta the Business"

Beta testing is an industry standard practice to obtain user feedback prior to general availability of software. Have you ever considered that the Beta release can be used to validate the software's value to customers and application users? Extending the Beta concept will result in higher customer satisfaction (and higher revenue for commercial products). Also, you can employ Beta testing to evaluate not only the software product, but the distribution (and sales) process, training, customer support, and usage within your customers' environments. Far beyond just finding defects in the product, you can focus Beta testing on how well the software is meeting your customers' needs. What does that mean to the Development team and the organization as a whole? What are the risks and challenges that we face? What are the rewards?

Pete Conway, EMC Corporation
Preventing Security Breaches at the Source

Security is a complex and often overwhelming issue. You cannot rely solely on trying to prevent hackers from entering your systems. Instead, you must ensure that the system safeguards itself if a hacker does break in. Three of the most common internal software weaknesses hackers exploit are dangerously constructed SQL, buffer overflows, and runtime exceptions that are not properly handled. Although testing existing code for these defects can help, it is not fool proof. You also need to make a concerted effort to prevent security vulnerabilities from being introduced as the team is writing code. Through the application of practices, such as static analysis, dynamic analysis, unit testing, and runtime error detection, you can jumpstart your security efforts and keep the hackers at bay.

  • The most common internal software weaknesses that hackers exploit
Sergei Sokolov, ParaSoft Corporation
Go on Offense: Prevent Web Application Security Breaches

You must successfully test your browser-based applications before hackers do the job for you! Whether you have to worry about critical business applications or government compliance issues like HIPPA (Health Insurance Portability and Accountability Act of 1996) or GLBA (Financial Services Modernization Act of 1999), security failures can cost your organization big dollars, unnecessary embarrassment, or both. Hackers have gone beyond simple exploits of open IP ports and standard applications such as Telnet, FTP, and Sendmail, turning their attention to commercial and custom Web applications. To thwart the hackers, test engineers must focus their efforts on common and uncommon security vulnerabilities within the application, including SQL injections, session hijacking, cross-site scripting, and more.

Dennis Hurst, SPI Dynamics Inc
Questions to Ask a Software Vendor about Security (and Verify) before Purchase

How do you choose which software vendor's product to buy? For a long time, CRM packages, ERP systems, and other commercial software selection criteria have come down to factors such as performance, compatibility, reputation of the vendor, support, and price. Security, though, has become a looming factor in the total cost of ownership and the risk of selecting one software product over another. Ed Adams describes the tough questions you need to ask vendors about security and how to extract critical information from them. Find out the steps to verify that their statements are accurate and their answers complete. With an approach for quantifying security risk before purchase, your organization will make more informed acquisition decisions.

  • A security assessment approach for purchased software packages
  • Quantifying security risk in software packages before purchase
Ed Adams, Security Innovation LLC
End to End Security: Building Products Right

How do you build a product that is secure? Why are some products inherently more secure than others? Join Richard Ford as he shares his experiences, both building products and teaching other developers how to think about security. All too often, computer security is the last thing considered when building a new product; that is, security is relegated to a "bolt on" ... something to be added to the product before it can be shipped. You will see demonstrations of security flaws that illustrate why security should be considered at every stage in the product process, from initial idea to golden master… and beyond. Learn to think about security holistically and take away a checklist of issues to consider at every step in the product lifecycle. Finally, gain insight into ways of building a development culture that is security aware and maintaining an efficient but secure corporate culture.

Richard Ford, Florida Institute of Technology
Preventing Web Service Security Breaches

Because Web services are especially vulnerable to security breaches, verifying the integrity of Web services is critical to successful deployment. By adopting specific white-box testing techniques at the unit and system level, testers can better ensure the security and dependability of the Web services application their company produces. Learn what you can do to test Web services for conditions and input data that are not expected and fix security problems before they harm your organization.

  • Find security problems with specific white-box test techniques
  • Ensure proper functionality, interoperability, and security of Web services
  • Web services testing issues for developers and QA testers
Gary Brunell, ParaSoft Corporation
Beyond GUI: What You Need to Know about Database Testing

Today's complex software systems access heterogeneous data from a variety of back-end databases. The intricate mix of client-server and Web-enabled database applications are extremely difficult to test productively. Testing at the data access layer is the point at which your application
communicates with the database. Tests at this level are vital to improve not only your overall test strategy, but also your product's quality. Mary Sweeney explains what you need to know to test the SQL database engine, stored procedures, and data views. Find out how to design effective automated tests that exercise the complete database layer of your applications. You'll learn about the most common and vexing defects related to SQL databases and the best tools available to support your testing efforts.

Mary Sweeney, Exceed Training
Security Testing Web Applications

Often, the fast-paced development cycles of Web applications don't usually leave much room for testing. Thanks to the instant service pack phenomenon, we can update a Web application every day-so it's ok if things aren't perfect, right? That may be the case for functional bugs, but not security bugs. All an attacker needs is a very small window of opportunity to do damage. James Whittaker shows you how to identify these threats and demonstrates examples of attacks against them. From "SQL injection" to "cross-site scripting," and many more, you’ll leave with the knowledge of how a hacker views your online business and, as a tester, what you can do about it.

Dr. Mike Andrews, Florida Institute of Technology

Pages

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.