Security Testing for Testing Professionals

  • View
    157

  • Download
    4

Embed Size (px)

DESCRIPTION

Today’s software applications are often security critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications, and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.

Text of Security Testing for Testing Professionals

  • TM Half-day Tutorials

    5/6/2014 1:00:00 PM

    Security Testing for Testing

    Professionals

    Presented by:

    Jeff Payne

    Coveros, Inc.

    Brought to you by:

    340 Corporate Way, Suite 300, Orange Park, FL 32073

    888-268-8770 904-278-0524 sqeinfo@sqe.com www.sqe.com

  • Jeff Payne Coveros, Inc.

    Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyber terrorism, and software quality.

  • 1 Copyright 2013 Coveros Corporation. All rights reserved.

    Security Testing

    for Testing Professional

  • 2 Copyright 2013 Coveros, Inc.. All rights reserved.

    Trainer

    Jeffery Payne jeff.payne@coveros.com

    Twitter: @jefferyepayne

    Jeffery Payne is CEO and founder of Coveros, Inc., a software company that

    helps organizations accelerate the delivery of secure, reliable software. Coveros

    uses agile development methods and a proven software assurance framework to

    build security and quality into software from the ground up. Prior to founding

    Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc.

    Under his direction, Cigital became a leader in software security and software

    quality solutions, helping clients mitigate the risk of software failure. Jeffery is a

    recognized software expert and popular speaker at both business and technology

    conferences on a variety of software quality, security, and agile development

    topics. He has also testified before Congress on issues of national importance,

    including intellectual property rights, cyber-terrorism, Software research funding,

    and software quality.

  • 3 Copyright 2013 Coveros, Inc.. All rights reserved.

    Coveros helps organizations accelerate the delivery of secure, reliable software

    Our consulting services: Agile software development

    Application security

    Software quality assurance

    Software process improvement

    Our key markets: Financial services

    Healthcare

    Defense

    Critical Infrastructure

    Areas of Expertise

    About Coveros

  • 4 Copyright 2013 Coveros, Inc.. All rights reserved.

    Agenda

    Introduction to Security Testing Information security Software security Risk assessment Security testing

    Security Requirements & Planning Functional security requirements Non-functional security requirements Test planning

    Testing for Common Attacks

    Integrating Security Testing into the Software Process

  • 5 Copyright 2013 Coveros, Inc.. All rights reserved.

    Introduction to Security Testing

  • 6 Copyright 2013 Coveros, Inc.. All rights reserved.

    When you hear the term Information Security

    What do you think it means?

    What comes to mind?

    What is Information Security?

  • 7 Copyright 2013 Coveros, Inc.. All rights reserved.

    Definition of Information Security

    Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

    The key concepts of Information Security include: Confidentiality

    Integrity

    Availability

    Authenticity

    Non-Repudiation

    What is Information Security?

  • 8 Copyright 2013 Coveros, Inc.. All rights reserved.

    The Software Security Problem

    Our IT systems are not castles any longer!

  • 9 Copyright 2013 Coveros, Inc.. All rights reserved.

    Why Software Security is Important

    RISK IS

    EVERYWHERE!

  • 10 Copyright 2013 Coveros, Inc.. All rights reserved.

    Common Security Nomenclature

    Understanding Risk

    Risk: a possible future event which, if it occurs, will lead to an undesirable outcome

    Threat: A potential cause of an undesirable outcom

    Asset: Data, application, network, physical location, etc. that a threat may wish to

    access, steal, destroy, or deny others access to

    Vulnerability: Any weakness, administrative process, or act of physical exposure

    that makes an information asset susceptible to exploit by a threat.

    An exploit is a piece of software, a chunk of data, or sequence of commands that

    takes advantage of a vulnerability in order to cause unintended or unanticipated

    behavior to occur on computer software, hardware, or something electronic.

    Attack: the approach taken by a threat to exploit a vulnerability

    Denial of service, spoofing, tampering, escalation of privilege

  • 11 Copyright 2013 Coveros, Inc.. All rights reserved.

    Risk Assessment

    A risk assessment is commonly carried out by a team of people who have subject area knowledge of the business / product and information security

    Possible connections between identified threats and system assets are examined and the risk of exposure is determined:

    Impact: the consequence of an asset being exposed

    Likelihood: the likelihood that a threat can compromise an asset

    Residual risks are those that have been deemed acceptable and are not mitigated

    Risk assessment is a process not a one time activity

    Understanding Risk

  • 12 Copyright 2013 Coveros, Inc.. All rights reserved.

    Business Risk: Loss of Customer Trust

    Professional hacker is able to access bank account information for all

    banking customers due to poor authentication mechanisms in the on-

    line banking application

    Business impacts $: High Impact as an estimated that 20% of

    reserves will be taken out of bank by customers if hack is revealed

    Likelihood: High Likelihood as appropriate authentication

    mechanisms are not built into the banking application

    Technical Risk: Lack of Authentication Mechanisms

    Inadequate use of

    Examples of Risks

    Understanding Risk

  • 13 Copyright 2013 Coveros, Inc.. All rights reserved.

    Identifying Threats and Assets

    Break into teams of 2-3 people.

    Each team will identify potential threats, assets, and risks to a software application described on the next slide.

    Exercise Time Limit: 15 Minutes

    Exercise #1

  • 14 Copyright 2013 Coveros, Inc.. All rights reserved.

    Your company, SecureTelco, has developed an instant messaging program to be used by corporations and government agencies to chat securely about sensitive subjects

    SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private.

    Users have the ability to add/remove friends from their IM list, search for friends based on their email, block users from IMing them, become invisible to all users on demand.

    Messages archives and activities logs document user behavior and can be retrieved by the user or a SecreTelco Administrator through the application or by the administrative console, respectively.

    Software Application

    Exercise #1 Identifying Threats, Assets, Risks

  • 15 Copyright 2013 Coveros, Inc.. All rights reserved.

    Questions to answer

    Threats

    What threats exist for this application?

    I.e. who might want to compromise it?

    Which of the threats youve identified are the highest priority to protect the system against and why?

    Assets

    What important information resides within this application that would motivate a threat to try and compromise it?

    Which of the assets youve identified are the highest priority to protect and why?

    Business Risks

    If a particular threat is able to access an asset, what is the business consequence in $$$$?

    Exercise #1 Identifying Threats, Assets, Risks

  • 16 Copyright 2013 Coveros, Inc.. All rights reserved.

    Threats to system

    (H/M/L)

    Business Risks Assets of interest

    (H/M/L)

    Exercise Results

  • 17 Copyright 2013 Coveros, Inc.. All rights reserved.

    Security Testing is testing used to determine whether an information system protects its assets from its threats.

    Security Testing is not a silver bullet for your enterprise

    security. Security Testing doesnt fix your security, it only

    makes you aware of it. Security must be built into your

    software

    A sound Security Testing process performs testing activities:

    Before development begins

    During requirements definition and software design

    During implementation

    During deployment

    During maintenance and operations

    Security Testing

  • 18 Copyright 2013 Coveros, Inc.. All rights reserved.

    Provides a level of confidence that your system performs securely within specifications.

    Security Testing is a preventative way to find small issues before they become big, expensive ones.

    The 2007