Олексій Барановський “Vulnerability assessment as part software testing process”
•
0 likes•59 views
Олексій Барановський “Vulnerability assessment as part software testing process”
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Олексій Барановський “Vulnerability assessment as part software testing process”
Similar to Олексій Барановський “Vulnerability assessment as part software testing process” (20)
More from Dakiry
More from Dakiry (20)
Recently uploaded
Recently uploaded (20)
Олексій Барановський “Vulnerability assessment as part software testing process”
- 1. Vulnerability assessment as part of software testing process Oleksii Baranovskyi, Ph.D. CEH, CHFI, CVA, ECIH, CND
- 2. Vulnerability assessment is the process of identifying, quantifying and ranking the vulnerabilities in software or system. WTF? VulnerabilityAssessment
- 3. For what?
- 4. “ What are your guarantees?“ © Client 1 Reason – Guarantees! “ How can I be sure about security?“ © Client 2 “ Can you guarantee that your software will not be hacked?“ © Client 3
- 5. Software Development Life Cycle // Where vulnerabilities begins?// // What is vulnerability? // // Where vulnerability assessment and why it’s not security testing? //
- 6. Types of Vulnerabilities Technical Technical Vulnerabilities originate from the technical content of the software. This can be affected by the developing language used, the development practices, frameworks, type of database used, structure of the database and RADIUS OF DEVELOPER HANDS CURVATURE! Logical Logical vulnerabilities are problems in the logic of the software rather than a problem in the source code. Logical vulnerabilities can be just as devastating for a software or system. This type of vulnerabilities depends from client requirements, architecture and IQ BOTH OF THEM!
- 8. And where is our job?
- 9. Types of Security Requirements Immunity Requirements Integrity Requirements Intrusion Detection Requirements Nonrepudiation Requirements Privacy Requirements SecurityAuditing Requirements Identification Requirements Authentication Requirements Authorization Requirements Survivability Requirements Physical Protection Requirements System Maintenance Security Requirements
- 10. Types of Security Requirements – where is our job? Secure Functional Requirements Functional Security Requirements Secure Development Requirements Non-Functional Security Requirements
- 11. VulnerabilityAssessment Actions 1 Automated Security Testing Vulnerability Scanners, Attack Proxies, Fuzzers – Full Test Cover 2 Manual Security Testing Hacking approaches and tools – If you have a resources, time and fun! 3 Security Checklist Test Boring But Needed Compliance 4 Prioritization Complexity of Detection, Technical Impact and Intuition 5 Reporting According to your rules
- 12. Software Development Models – how to implement VulnerabilityAssessment? Waterfall Agile Iterative Incremental PrototypeSpiral
- 13. VulnerabilityAssessment in Agile Security Sprint Approach • Dedicated sprint focusing on application security. • Stories implemented are security related. • Code is reviewed. • Stories may include: • Input validation story, • Logging story, • Authentication story, • Authorization • Etc. Every Sprint Approach • Consists of the requirements and stories essential to security. • Standard Requirements (OWASP/SANS etc.) • No software should ever be released without requirements being met. • Sprint is two weeks or two months long. • Every security requirement in the every- Sprint category must be completed in each and every Sprint. • Or the Sprint is deemed incomplete, and the software cannot be released.
- 14. Who will? SecurityAmbassador VS Application Security Team
- 15. Thanks a lot! Questions? Oleksii Baranovskyi alexey.baranovskiy@gmail.com https://www.linkedin.com/in/oleksiibaranovskyi/