(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
Олексій Барановський “Vulnerability assessment as part software testing process”
1. Vulnerability assessment as part of
software testing process
Oleksii Baranovskyi, Ph.D.
CEH, CHFI, CVA, ECIH, CND
2. Vulnerability assessment is the process
of identifying, quantifying and ranking
the vulnerabilities in software or system.
WTF?
VulnerabilityAssessment
5. Software Development Life Cycle
// Where vulnerabilities begins?//
// What is vulnerability? //
// Where vulnerability assessment and
why it’s not security testing? //
6. Types of Vulnerabilities
Technical
Technical Vulnerabilities originate from the
technical content of the software. This can be
affected by the developing language used, the
development practices, frameworks, type of database
used, structure of the database and RADIUS OF
DEVELOPER HANDS CURVATURE!
Logical
Logical vulnerabilities are problems in the logic of
the software rather than a problem in the source code.
Logical vulnerabilities can be just as devastating for a
software or system.
This type of vulnerabilities depends from client
requirements, architecture and IQ BOTH OF
THEM!
10. Types of Security Requirements – where is our job?
Secure Functional
Requirements
Functional Security
Requirements
Secure Development
Requirements
Non-Functional
Security
Requirements
11. VulnerabilityAssessment Actions
1
Automated Security Testing
Vulnerability Scanners, Attack
Proxies, Fuzzers – Full Test Cover
2
Manual Security Testing
Hacking approaches and tools – If
you have a resources, time and fun!
3
Security Checklist Test
Boring But Needed Compliance
4
Prioritization
Complexity of Detection,
Technical Impact and Intuition
5
Reporting
According to your rules
12. Software Development Models – how to implement
VulnerabilityAssessment?
Waterfall Agile Iterative Incremental PrototypeSpiral
13. VulnerabilityAssessment in Agile
Security Sprint Approach
• Dedicated sprint focusing on application
security.
• Stories implemented are security related.
• Code is reviewed.
• Stories may include:
• Input validation story,
• Logging story,
• Authentication story,
• Authorization
• Etc.
Every Sprint Approach
• Consists of the requirements and stories
essential to security.
• Standard Requirements (OWASP/SANS
etc.)
• No software should ever be released
without requirements being met.
• Sprint is two weeks or two months long.
• Every security requirement in the every-
Sprint category must be completed in
each and every Sprint.
• Or the Sprint is deemed incomplete, and
the software cannot be released.