Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds eros
Jeff Payne Coveros, Inc.
secure software applications using agile methods. Since its inception in 2008, Covhas become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirtpapers on software development and testing, and testified before Congress on issueof national importance, including intellectual property rights, cyber terrorism, and software quality. http://starcanada.techwell.com/sme-profiles/jeff-payne
1 Copyright 2013 Coveros Corporation. All rights reserved.
for Test Professional
2 Copyright 2013 Coveros, Inc.. All rights reserved.
Coveros helps organizations accelerate the delivery of secure, reliable software
Our consulting services: Agile software development
Software quality assurance
Software process improvement
Our key markets: Financial services
Areas of Expertise
3 Copyright 2013 Coveros, Inc.. All rights reserved.
Introduction to Security Testing Information security Software security Risk assessment Security testing
Security Requirements & Planning Functional security requirements Non-functional security requirements Test planning
Testing for Common Attacks
Integrating Security Testing into the Software Process
4 Copyright 2013 Coveros, Inc.. All rights reserved.
Jeffery Payne firstname.lastname@example.org
Jeffery Payne is CEO and founder of Coveros, Inc., a software company that
helps organizations accelerate the delivery of secure, reliable software. Coveros
uses agile development methods and a proven software assurance framework to
build security and quality into software from the ground up. Prior to founding
Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc.
Under his direction, Cigital became a leader in software security and software
quality solutions, helping clients mitigate the risk of software failure. Jeffery is a
recognized software expert and popular speaker at both business and technology
conferences on a variety of software quality, security, and agile development
topics. He has also testified before Congress on issues of national importance,
including intellectual property rights, cyber-terrorism, Software research funding,
and software quality.
5 Copyright 2013 Coveros, Inc.. All rights reserved.
Introduction to Security Testing
6 Copyright 2013 Coveros, Inc.. All rights reserved.
When you hear the term Information Security or
What do you think it means?
What comes to mind?
What is Information Security?
7 Copyright 2013 Coveros, Inc.. All rights reserved.
Definition of Information Security
Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The key concepts of Information Security include: Confidentiality
What is Information Security?
8 Copyright 2013 Coveros, Inc.. All rights reserved.
The Software Security Problem
Our IT systems are not castles any longer!
9 Copyright 2013 Coveros, Inc.. All rights reserved.
Why Software Security is Important
10 Copyright 2013 Coveros, Inc.. All rights reserved.
How to Define Security Risk in Software
Common Security Nomenclature Risk: a possible future event which, if it occurs, will lead to an
Threat: A potential cause of an undesirable outcome
Asset: Data, application, network, physical location, etc. that a threat may wish to access, steal, destroy, or deny others access to
Vulnerability: Any weakness, administrative process, or act of physical exposure that makes an information asset susceptible to exploit by a threat.
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
Attack: the approach taken by a threat to exploit a vulnerability Denial of service, spoofing, tampering, escalation of privilege
11 Copyright 2013 Coveros, Inc.. All rights reserved.
A risk assessment is commonly carried out by a team of people who have subject area knowledge of the business and product. Members of the team provide a qualitative analysis based on informed opinion of threats that will later be used in a more quantitative analysis.
The team should also define what is an acceptable amount of risk that the organization can assume. We assume we cant identify all risks nor eliminate them; this is often referred to as residual risk.
12 Copyright 2013 Coveros, Inc.. All rights reserved.
Break into teams of 2-3 people.
Each team will identify potential threats to a software application described on the next slide.
Who would want to compromise this application?
What assets would they be after if they did?
Once each threat is identified, provide impact and likelihood ratings (High, Medium, Low) for each threat.
Justify your answers
Exercise Time Limit: 15 Minutes
13 Copyright 2013 Coveros, Inc.. All rights reserved.
Your company, SecureTelco, has developed an instant messaging program to be used for private use in customers homes and for companies and government agencies.
SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private.
Users have the ability to add/remove friends from their contact list, search for friends based on their email, block users from IMing them, become invisible to all users on demand.
Messages archives and activities logs document user behavior and can be retrieved by the user or a SecreTelco Administrator through the application or by the administrative console, respectively.
14 Copyright 2013 Coveros, Inc.. All rights reserved.
Risk Assessment Questions
Business / Mission Motivation
What is the importance/criticality of the system?
What assets exist in the system?
What is the impact if C, I, A principles violated?
User Capabilities and Exposure
How is access different for user roles?
What operations can each performed by different users?
Why might someone attack the system?
Who might want to attack? (insiders, outsiders)
What might attackers accomplish?
Whats the cost of failure?
15 Copyright 2013 Coveros, Inc.. All rights reserved.
Threats to system Assets of interest
16 Copyright 2013 Coveros, Inc.. All rights reserved.
Security Testing is testing used to determine whether an information system protects its data from its threats.
Security Testing is not a silver bullet for your enterprise
security. Security Testing doesnt fix your security, it only
makes you aware of it. Security must be built into your
A sound Security Testing process performs testing activities:
Before development begins
During requirements definition and software design
During maintenance and operations
17 Copyright 2013 Coveros, Inc.. All rights reserved.
Provides a level of confidence that your system performs securely within specifications.
Security Testing is a preventative way to find small issues before they become big, expensive ones.
The 2007 CSI Computer Crime and Security Survey performed an analysis of the average cost of a web security breach. The average loss reported in the survey was $350,424.
Security Testing ensures that people in your organization understand and obey security policies.
If involved right from the first phase of system development life cycle, security testing can help eliminate flaws in the design and implementation of the system.
Why is it important?
18 Copyright 2013 Coveros, Inc.. All rights reserved.
Major goals of security testing
Test the security features of a system
Test the security properties of a system