Todays software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applicationsboth web- and GUI-basedduring the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
<ul><li> 1. TL PM Tutorial 10/1/2013 1:00:00 PM"Security Testing for Testing Professionals" Presented by: Jeff Payne Coveros, Inc.Brought to you by:340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 904-278-0524 email@example.com www.sqe.com</li></ul><p> 2. Jeff Payne Coveros, Inc. Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. 3. 8/20/2013Security Testing for Test Professionals Copyright 2011 Coveros, Inc.. All rights reserved.1TrainerJeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, Software research funding, and software quality. Copyright 2011 Coveros, Inc.. All rights reserved.21 4. 8/20/2013About Coveros Coveros helps organizations accelerate the delivery of secure, reliable software Our consulting services: Agile software development Application security Software quality assurance Software process improvementCorporate Partners Our key markets: Financial services Healthcare Defense Critical Infrastructure Copyright 2011 Coveros, Inc.. All rights reserved.3 Copyright 2011 Coveros, Inc.. All rights reserved.4Agenda Introduction to Security Testing Security Testing Framework Steps in security testing Security test planning Security test tools Wrap up2 5. 8/20/2013Expectations What are your expectations for this tutorial? What do you wish to learn? What questions do you want answered? Copyright 2011 Coveros, Inc.. All rights reserved.5Introduction to Security Testing Copyright 2011 Coveros, Inc.. All rights reserved.63 6. 8/20/2013What is Information Security?When you hear the term Information Security and Security Testing: What do you think they mean? What comes to mind? Copyright 2011 Coveros, Inc.. All rights reserved.7What is Information Security? Definition of Information Security Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The key concepts of Information Security include: Confidentiality prevent the disclosure of information to unauthorized individuals or systems Integrity data cannot be modified undetectably Availability data and systems are available in an uninterrupted manner Authenticity ensure that data, transactions, communications or documents (electronic or physical) are genuine Non-Repudiation ensure that someone cannot deny something Copyright 2011 Coveros, Inc.. All rights reserved.84 7. 8/20/2013The Software Security Problem Our IT systems are not castles any longer! Copyright 2011 Coveros, Inc.. All rights reserved.9 Copyright 2011 Coveros, Inc.. All rights reserved.10Why Software Security is Important5 8. 8/20/2013Understanding Risk How to Define Security Risk in Software Common Security Nomenclature Risk: a possible future event which, if it occurs, will lead to an undesirable outcome Threat: A potential cause of an undesirable outcome Vulnerability: Any weakness, administrative process, or act of physical exposure that makes an information asset susceptible to exploit by a threat. An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Attack: the approach taken by a threat to exploit a vulnerability Denial of service, spoofing, tampering, escalation of privilege Copyright 2011 Coveros, Inc.. All rights reserved.11Security Testing What? How? Security Testing is testing used to determine whether an information system protects its data from its threats. Security Testing is not a silver bullet for your enterprise security. Security Testing doesnt fix your security, it only makes you aware of it. Security must be built into your software A sound Security Testing process performs testing activities: Before development begins During requirements definition and software design During implementation During deployment During maintenance and operations Copyright 2011 Coveros, Inc.. All rights reserved.126 9. 8/20/2013Exercise Security Testing Case Study Your company, SecureTelco, has developed an instant messaging program to be used for private use in customers homes and for companies and government agencies. SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private. Users have the ability to add/remove friends from their contact list, search for friends based on their email, block users from IMing them, become invisible to all users on demand. Messages archives and activities logs document user behavior and can be retrieved by the user or a SecureTelco Administrator through the application or by the administrative console, respectively. Copyright 2011 Coveros, Inc.. All rights reserved.13Security Testing Framework Copyright 2011 Coveros, Inc.. All rights reserved.147 10. 8/20/2013Security testing before development begins Overview Testing before development begins is really a QA function to assess the readiness of the organization to build secure software applications. Always remember that security testing evaluates the security posture of your applications, it does not build security in. Irrespective of your findings, do not become the quality police. Copyright 2011 Coveros, Inc.. All rights reserved.15Security testing before development begins Review Security Policies and Standards Understand the policies and standards that have been adopted by the organization and their relationship to software security Examples: Privacy policies regarding your customer data Service level agreements with clients IT security standards you must adhere to PCI compliance activities for credit card transactions Your goal is to understand these policies and standards to the level that will allow you to validate security requirements and effectively test the end product against them Copyright 2011 Coveros, Inc.. All rights reserved.168 11. 8/20/2013Security testing before development begins Review Secure Software Development Lifecycle If the security of your software is an enterprise concern, the development team should be adhering to a defined secure software development lifecycle model. Defines development activities that builds security in Defines security testing activities performed by appropriate parties (development, testing, security org, operations, etc.) Common secure software development models Microsofts Secure Development Lifecycle (SDL) Coveros SecureAgile process There are others as well Secure software standards Secure coding standard Copyright 2011 Coveros, Inc.. All rights reserved.17Security testing during definition and design Overview Testing activities during requirements definition and software design focus on assuring that security has been effectively integrated into software requirements and the overall architecture and design of the product Typical activities include: Security requirements development/validation Architecture and design reviews Threat modeling Test strategy and planning Copyright 2011 Coveros, Inc.. All rights reserved.189 12. 8/20/2013Security testing during definition and design Software Requirements Functional Requirements: These are statements of services the system should provide, how the system should react to particular inputs and how the system should behave in particular situations. What each feature within the software should do Non-Functional Requirements: These statements describe additional requirements that are not associated with individual functional behaviors. These statements include information about: reliability, configurability, availability, performance, etc. What quality goals must the entire software system achieve Copyright 2011 Coveros, Inc.. All rights reserved.19Security testing during definition and design Security Requirements Security Requirements describe functional and nonfunctional requirements that need to be satisfied in order to achieve the security attributes of an IT system or application.What does that mean? Functional Security Requirements Additions to functional requirements that define what the software should not do. Non-Functional Security Requirements Additional non-functional requirements that define what overall security the system must provide Copyright 2011 Coveros, Inc.. All rights reserved.2010 13. 8/20/2013Security testing during definition and design Example Security Requirement Functional requirement: SecureChat login screen shall accept a valid username/password pair and allow system access Functional requirement that includes security: SecureChat login screen shall accept valid username/password pairs and allow system access. Entering either an invalid username or invalid password will result in the display of the message Invalid username or password on a redisplay of the login screen after both a username and password are enteredThree successive invalid login attempts from a particular machine will lock the users account and display the message User Account Locked, Call System Administrator on a redisplay of the login screen. Subsequent valid login/password pairs will not allow system access until the account is unlocked by the system administrator Copyright 2011 Coveros, Inc.. All rights reserved.21Security testing during definition and design Example Security Requirement Functional requirements: SecureChat user shall choose a userid and a password for their account during registration Functional security requirement: SecureChat user shall choose a userid and a password for their account during registration Userid shall be unique within the system Userid shall consist of alphanumeric characters Password shall be at least 12 characters long and include at least one capital letter, one special character, and one whole number Copyright 2011 Coveros, Inc.. All rights reserved.2211 14. 8/20/2013Security testing during definition and design Examples of Non-Functional Security Requirements SecureChat shall ensure that data is protected from unauthorized access at all times. SecureChat shall have an availability of 99.9%. SecureChat shall process a minimum of 8 transactions per second. Each SecureChat build shall undergo secure code review prior to release. All communications between the SecureChat client application and the SecureChat central servers shall be encrypted. Copyright 2011 Coveros, Inc.. All rights reserved.23Security testing during definition and design Architectural and Design Reviews Architectural and design reviews focus on determining whether the stated architecture / design enforces the appropriate level of security as defined in the requirements. Typically performed by security architects and/or other software leads within the organization. Examines these artifacts for flaws such as: Violation of trust boundaries Distributed control of authorization Custom algorithms for cryptography / random number generation Copyright 2011 Coveros, Inc.. All rights reserved.2412 15. 8/20/2013Design Flaws vs. Implementation Bugs Flaws (Design Defects) Misuse of cryptography Compartmentalization problems in design Privileged block protection failure Type safety confusion error Insecure auditing Broken or illogical access control Method over-riding problems Bugs (Implementation Defects) Buffer overflows Cross site scripting Race conditions SQL Injection Copyright 2011 Coveros, Inc.. All rights reserved.25Security testing during definition and design Threat modeling for risk assessment Threat modeling a process by which any risks to a piece of software are identified and mitigated A variety of approaches exist for doing threat modeling Microsoft STRIDE model Diagram your system high level dataflow diagrams Identify threats (risks) each type of entity/interaction has enemies Mitigate threats (risks) determine security controls Validate mitigations test effectiveness of these controls Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege (STRIDE) Copyright 2011 Coveros, Inc.. All rights reserved.2613 16. 8/20/2013Fixing the Problem One DoD Initiative 60.00Critical/High Vulnerabilities Per 1,000 Lines of Code Initial Follow-On40.0020.000.00 App1App2App3App4App5App6But there are 1,000s of apps do the math Copyright 2011 Coveros, Inc.. All rights reserved.27Security testing during definition and design Assessing your risk Answers the so what? question Identifying threats and flaws in your design only result in better security if the flaws are mitigated to minimize the threat. But at what cost to the organization? What benefit? How do you convince management to fund mitigation efforts? Copyright 2011 Coveros, Inc.. All rights reserved.2814 17. 8/20/2013Security testing during definition and design Risk Assessments Information on design flaws/vulnerabilities and known threats from our threat model are often combined together to estimate the likelihood and consequence of a flaw/defect resulting in significant business impact Highly LikelyLikelyUnlikelyBusiness-criticalHigh priorityPriorityPriorityBusiness concernHigh priorityPriorityNot a PriorityMinor or cosmeticNot a PriorityNot a PriorityNot a Priority Copyright 2011 Coveros, Inc.. All rights reserved.29Security testing during definition and design Risk Assessments Results Risks are placed in appropriate categories based upon understood consequence and likelihood of occurrence Consequence depends upon your business and market Likelihood depends upon your risks and threats Highly LikelyBus...</p>