The Roles of Software Testing & QA
                 in
         Security Testing
                                      Hun...
Objective
   To jump start your security testing program for
   Web sites and Web applications by offering
     – An overv...
Security Overview
• Whom are we protecting?
     – Ourselves
     – The people with whom we are doing business
     … or
 ...
Security Overview
• What are we protecting?
     – Data
            • Transaction data, user data, information resource,
 ...
Security Overview
• Who are the attackers?
     – Black-hat hackers
     – White-hat hackers
     – Gray-hat hackers




©...
Security Overview
• Why do attackers hack computer systems?
     – To steal
     – To disrupt activities by putting the sy...
Security Overview
• The goals
     – Security effort is an ongoing process of change, test, and
       improvement. Becaus...
Security Overview
• What are the possible damages?
     – Most of the damages, although not limited to, are
       financi...
Security Overview
• The big questions
     – What risks are we willing to take in enduring the
       possible damages?
  ...
Security Overview
• What are the targets that need security
  protection?
     –   Data
     –   Host
     –   Network/Int...
Common Vulnerabilities
• Interesting to software testing
     – Information leaks
            • Examples include sensitive...
Common Vulnerabilities
• Interesting to software testing
     – Cookies
            • Examples include cookie containing I...
Common Vulnerabilities
• Interesting to software testing
     – Java scripts
            • For example, client-side checki...
Common Vulnerabilities
• Mildly interesting to software testing
     –   Physical attacks
     –   Denial-of-service attac...
Testing and QA Focus
• Testing for Web site and Web application
  security at the application level
• Testing for vulnerab...
Testing and QA Focus
• What can we learn from the attacking process?
     – Information gathering?
     – Checking out the...
Testing and QA Focus
• What can we learn from the physical world and
  the digital world?
     – In the physical universe,...
Testing Web Site/Application Security
 • Testing the requirements and designs
 • Testing the code and programming practice...
The Challenges We Face
• Outlining a clear division of responsibilities with the IT
  and software development staff in te...
More Information for Testers




© 2002 LogiGear Corporation. All rights reserved.
Software Testing and QA Roles
• Open discussion
     –   Are we focusing on the right tasks?
     –   Should we do more?
 ...
About LogiGear® Corporation
LogiGear Corporation is the first Silicon Valley-based
software testing company to offer a ful...
Upcoming SlideShare
Loading in...5
×

The Roles of Software Testing

594

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
594
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "The Roles of Software Testing "

  1. 1. The Roles of Software Testing & QA in Security Testing Hung Q. Nguyen LogiGear, President and CEO Bob Johnson Independent, Security Consultant ASQ-SSQA Presentation, May 14, 2002 © 2002 LogiGear Corporation. All rights reserved.
  2. 2. Objective To jump start your security testing program for Web sites and Web applications by offering – An overview on testing for Web site and Web application security – A perspective on the roles and responsibilities of software testing and QA in the security testing effort – A forum for other professionals to share their thoughts on this topic © 2002 LogiGear Corporation. All rights reserved.
  3. 3. Security Overview • Whom are we protecting? – Ourselves – The people with whom we are doing business … or – The owners of computer systems – The users of those systems © 2002 LogiGear Corporation. All rights reserved.
  4. 4. Security Overview • What are we protecting? – Data • Transaction data, user data, information resource, confidential business intelligence, etc. – Intellectual properties • Products, source code, software, hardware, etc. – Resources • Network resources, computing resources, etc. © 2002 LogiGear Corporation. All rights reserved.
  5. 5. Security Overview • Who are the attackers? – Black-hat hackers – White-hat hackers – Gray-hat hackers © 2002 LogiGear Corporation. All rights reserved.
  6. 6. Security Overview • Why do attackers hack computer systems? – To steal – To disrupt activities by putting the system out of commission – To embarrass by altering the behavior of the system – To play a game © 2002 LogiGear Corporation. All rights reserved.
  7. 7. Security Overview • The goals – Security effort is an ongoing process of change, test, and improvement. Because it's impossible to have a perfectly secure system, the goal is to figure out the level of protection that is secure enough for an organization's needs. • "Good enough," as narrowly defined, means that the security solutions will cost significantly less than the damage caused by a security breach. • At the same time, the ideal solutions are ones that deter persistent intruders by making penetrating the system so difficult and time-consuming that it's not worthwhile as a reward even when their efforts succeed. © 2002 LogiGear Corporation. All rights reserved.
  8. 8. Security Overview • What are the possible damages? – Most of the damages, although not limited to, are financial losses including: • Sales losses • Property losses • Productivity losses • Litigation costs • Publicity costs © 2002 LogiGear Corporation. All rights reserved.
  9. 9. Security Overview • The big questions – What risks are we willing to take in enduring the possible damages? – How much funding are we willing to commit to minimize our risks? – What is the objective and budget allocated for testing Web site and Web application security? © 2002 LogiGear Corporation. All rights reserved.
  10. 10. Security Overview • What are the targets that need security protection? – Data – Host – Network/Intranet – Perimeter • …and additional focus on – Internet – Application © 2002 LogiGear Corporation. All rights reserved.
  11. 11. Common Vulnerabilities • Interesting to software testing – Information leaks • Examples include sensitive information in the HTML pages, error messages, and public database and forums – Back doors • For example, enabling a logging routine bypassing authentication, or untested debugging routines left in production releases. – Buffer overflows • Errors might exist in production code, test and debugging code, or third-party code © 2002 LogiGear Corporation. All rights reserved.
  12. 12. Common Vulnerabilities • Interesting to software testing – Cookies • Examples include cookie containing ID and password, account number, credit card number and other sensitive information. • By changing the values or "poisoning the cookie, attackers can get access to accounts that are not theirs or access to unauthorized information. • Stealing the cookie all together might allow attackers to gain access without having to enter I and password or any other methods of authentication. – Bad data • In coming data can’t be trusted © 2002 LogiGear Corporation. All rights reserved.
  13. 13. Common Vulnerabilities • Interesting to software testing – Java scripts • For example, client-side checking can be bypassed • Cross-site scripting issues – CGI • For example, manipulating parameters to instruct a CGI to email an ID and password file to any user – Java • How safe? – ActiveX • Can make function calls to other DLLs? © 2002 LogiGear Corporation. All rights reserved.
  14. 14. Common Vulnerabilities • Mildly interesting to software testing – Physical attacks – Denial-of-service attacks – Spoofing attacks – Virus and worm attacks – Trojan horse attacks • For more information – www.QACity.com – Sample tool list: www.insecure.org © 2002 LogiGear Corporation. All rights reserved.
  15. 15. Testing and QA Focus • Testing for Web site and Web application security at the application level • Testing for vulnerabilities and information leaks due primarily to programming practice, and to certain extends, due to misconfiguration of Web servers and other application-specific servers • Test for security side effects • Test for functionality side effects © 2002 LogiGear Corporation. All rights reserved.
  16. 16. Testing and QA Focus • What can we learn from the attacking process? – Information gathering? – Checking out the system? – Cracking the system? • What are our objectives? – Prevention: Help seeking out vulnerabilities and various means to exploit them so they can be fixed. – Detection: Help determining the information that should be logged and mechanisms to track, alert and trap suspicious activities. © 2002 LogiGear Corporation. All rights reserved.
  17. 17. Testing and QA Focus • What can we learn from the physical world and the digital world? – In the physical universe, redundancy such as having additional locks, a security guard sitting by the door, or a badge reader can increase security. – In the digital universe, redundancy increases complexity and might create additional vulnerabilities. Often, small utility programs surrounded by many layers of protection provide the security holes that compromise the entire system. © 2002 LogiGear Corporation. All rights reserved.
  18. 18. Testing Web Site/Application Security • Testing the requirements and designs • Testing the code and programming practices • Testing interoperability with third-party components with specific focus on known vulnerabilities • Testing for misconfiguration • Testing the deployment • Penetration testing © 2002 LogiGear Corporation. All rights reserved.
  19. 19. The Challenges We Face • Outlining a clear division of responsibilities with the IT and software development staff in testing for securities • Getting adequate resource and support to carry out the testing tasks • Keeping up with new technologies and vulnerabilities that they bring • Developing and maintaining a knowledge base on an on-going basis on common test techniques for sharing • Keeping up with the available tools and their applicability and usefulness in supporting the software security testing © 2002 LogiGear Corporation. All rights reserved.
  20. 20. More Information for Testers © 2002 LogiGear Corporation. All rights reserved.
  21. 21. Software Testing and QA Roles • Open discussion – Are we focusing on the right tasks? – Should we do more? – Should we do less? – Any testing techniques you would like to share? – Any other thoughts you would like to share? © 2002 LogiGear Corporation. All rights reserved.
  22. 22. About LogiGear® Corporation LogiGear Corporation is the first Silicon Valley-based software testing company to offer a full range of solutions to advance individual and organizational excellence in software testing. LogiGear offerings include in-depth technical and management expertise in software quality engineering, comprehensive advanced test engineering such as Action Based Testing™, a structured approach to testing and testing automation, and outsource testing solutions, skill-based training curriculum for software testing professionals through LogiGear University, and world-class testing support products including TRACKGEAR, a Web-based defect management solution. www.LogiGear.com © 2002 LogiGear Corporation. All rights reserved.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×