This document discusses bringing a hacker mindset to requirements and testing for application security. It begins by highlighting statistics showing the poor state of application security and vulnerabilities. The document then contrasts producer and consumer views of quality, and explains why security requirements are difficult by nature. It provides examples of threat modeling and negative testing techniques that can help requirements analysts and testers think like hackers to identify vulnerabilities. The presentation calls for adopting these adversarial techniques to improve application security.
Security testing is a huge topic. In this talk, Ken will discuss his experience working for small companies where security testing is a requirement, but often gets overlooked. Ken will explore some of the basic things a tester should know about web application security, such as the resources available from OWASP. As part of this talk, Ken will live demo the following tools:
OWASP Zed Attack Proxy
Microsoft Thread Modeling tool
Wireshark / tcpdump
sqlmap (SQL exploitation tool)
Attendees will take away:
A quick overview of some tools that you can use on a daily basis today
Resources to learn more about security testing
Ways of practicing it in a safe environment
Digital transformation continues to drive IT strategy, How is QA and testing ...QA or the Highway
Organizations under pressure to deploy new digital products and services are finding it tough to strike a balance between quality and speed of development, particularly when it comes to deploying IoT technology. This year’s share of the IT budget devoted to quality assurance (QA) and Testing has dropped to 31% after a significant and worrying increase from 18% to 35% during the preceding four years. Despite this year’s reduction, there is an overall prediction that spending will increase to 40% in 2019. Attendees will learn about:
Digital Transformation
IoT and Security
Agile and DevOps
Industrialization and TCoE
Test Environments and Test Data Management
QA&Test Budgets And the recommendations for QA to act on
In Agile’s fast-paced environment with frequent releases,
security reviews and testing can sound like an impediment to success. How can you keep up with Agile development's demands of continuous integration and deployment without
abandoning security best practices? These 10 steps will help you get the best of both worlds.
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...GRUC
With organizations under intense pressure to get products out to market quickly, they can’t afford to operate within operational silos. Yet communicating and collaborating across the organizational boundaries of QA and development can be difficult. Development is typically a black box to QA teams. QA has no visibility into the quality and security of the code until late in the lifecycle.
Watch this recorded webcast to learn how to break down the barriers and improve visibility and transparency by integrating development testing results into the IBM Rational Team Concert and providing QA and development with a unified workflow for ensuring code quality. Explore different development testing techniques and the types of defects and security vulnerabilities they can find.
About the Presenter:
James Croall, Director of Product Management, Coverity
Over the last 8 years, James Croall has helped a wide range of customers incorporate static analysis into their software development lifecycle. Prior to Coverity, Mr. Croall spent 10 years in the computer and network security industry as a C/C++ and Java software engineer.
Even though Healthcare applications are a primary target for cyber-attacks, a new study from IDG Research reveals that sixty percent of internally developed applications are not assessed for critical security vulnerabilities such as SQL Injection and Cross-Site Scripting. IT leaders expect the number of healthcare applications to increase as organizations increasingly rely on software innovation. How will healthcare application security teams close this gap?
Driving Risks Out of Embedded Automotive SoftwareParasoft
Automobiles are becoming the ultimate mobile computer. Popular models have as many as 100 Electronic Control Units (ECUs), while high-end models push 200 ECUs. Those processors run hundreds of millions of lines of code written by the OEMs’ teams and external contractors—often for black-box assemblies. Modern cars also have increasingly sophisticated high-bandwidth internal networks and unprecedented external connectivity. Considering that no code is 100% error-free, these factors point to an unprecedented need to manage the risks of failure—including protecting life and property, avoiding costly recalls, and reducing the risk of ruinous lawsuits.
Presentation on the risks present in the supply chain for software given at the Supply Chain Risk Management Symposium on Jan 15, 2015 in Arlington VA. Contains a brief introduction on how one might approach reducing the risks.
Security testing is a huge topic. In this talk, Ken will discuss his experience working for small companies where security testing is a requirement, but often gets overlooked. Ken will explore some of the basic things a tester should know about web application security, such as the resources available from OWASP. As part of this talk, Ken will live demo the following tools:
OWASP Zed Attack Proxy
Microsoft Thread Modeling tool
Wireshark / tcpdump
sqlmap (SQL exploitation tool)
Attendees will take away:
A quick overview of some tools that you can use on a daily basis today
Resources to learn more about security testing
Ways of practicing it in a safe environment
Digital transformation continues to drive IT strategy, How is QA and testing ...QA or the Highway
Organizations under pressure to deploy new digital products and services are finding it tough to strike a balance between quality and speed of development, particularly when it comes to deploying IoT technology. This year’s share of the IT budget devoted to quality assurance (QA) and Testing has dropped to 31% after a significant and worrying increase from 18% to 35% during the preceding four years. Despite this year’s reduction, there is an overall prediction that spending will increase to 40% in 2019. Attendees will learn about:
Digital Transformation
IoT and Security
Agile and DevOps
Industrialization and TCoE
Test Environments and Test Data Management
QA&Test Budgets And the recommendations for QA to act on
In Agile’s fast-paced environment with frequent releases,
security reviews and testing can sound like an impediment to success. How can you keep up with Agile development's demands of continuous integration and deployment without
abandoning security best practices? These 10 steps will help you get the best of both worlds.
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...GRUC
With organizations under intense pressure to get products out to market quickly, they can’t afford to operate within operational silos. Yet communicating and collaborating across the organizational boundaries of QA and development can be difficult. Development is typically a black box to QA teams. QA has no visibility into the quality and security of the code until late in the lifecycle.
Watch this recorded webcast to learn how to break down the barriers and improve visibility and transparency by integrating development testing results into the IBM Rational Team Concert and providing QA and development with a unified workflow for ensuring code quality. Explore different development testing techniques and the types of defects and security vulnerabilities they can find.
About the Presenter:
James Croall, Director of Product Management, Coverity
Over the last 8 years, James Croall has helped a wide range of customers incorporate static analysis into their software development lifecycle. Prior to Coverity, Mr. Croall spent 10 years in the computer and network security industry as a C/C++ and Java software engineer.
Even though Healthcare applications are a primary target for cyber-attacks, a new study from IDG Research reveals that sixty percent of internally developed applications are not assessed for critical security vulnerabilities such as SQL Injection and Cross-Site Scripting. IT leaders expect the number of healthcare applications to increase as organizations increasingly rely on software innovation. How will healthcare application security teams close this gap?
Driving Risks Out of Embedded Automotive SoftwareParasoft
Automobiles are becoming the ultimate mobile computer. Popular models have as many as 100 Electronic Control Units (ECUs), while high-end models push 200 ECUs. Those processors run hundreds of millions of lines of code written by the OEMs’ teams and external contractors—often for black-box assemblies. Modern cars also have increasingly sophisticated high-bandwidth internal networks and unprecedented external connectivity. Considering that no code is 100% error-free, these factors point to an unprecedented need to manage the risks of failure—including protecting life and property, avoiding costly recalls, and reducing the risk of ruinous lawsuits.
Presentation on the risks present in the supply chain for software given at the Supply Chain Risk Management Symposium on Jan 15, 2015 in Arlington VA. Contains a brief introduction on how one might approach reducing the risks.
UNIT-I
Review of Software Engineering: Overview of software evolution, SDLC, Testing Process, Terminologies in
Testing: Error, Fault, Failure, Verification, Validation, Difference between Verification and Validation,
Test Cases, Testing Suite, Test Oracles, Impracticality of Testing All data; Impracticality of testing All
Paths. Verification: Verification methods, SRS verification, Source code reviews, User documentation
verification, and Software project audit, Tailoring Software Quality Assurance Program by Reviews,
Walkthrough, Inspection, and Configuration Audits.
UNIT–II (8)
Functional Testing: Boundary Value Analysis, Equivalence Class Testing, Decision Table Based Testing, Cause
Effect Graphing Technique. Structural Testing: Control flow testing, Path testing, Independent paths, Generation
of graph from program, Identification of independent paths, Cyclomatic Complexity, Data Flow Testing,
Mutation Testing.
UNIT-III (8)
Regression Testing: What is Regression Testing? Regression Test cases selection, reducing the number of test
cases, Code coverage prioritization technique. Reducing the number of test cases: Prioritization guidelines,
Priority category, Scheme, Risk Analysis.
Overview of challenges faced while risk assessment of applications and their vulnerabilities. Then demonstrating OWASP risk rating methodology to solve this problem statement.
I presented on this topic at ISC2 Delhi meet in September, 2013
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
The FDA recommends implementing a coding standard during medical device software development. In practice, this means running a static analysis tool to detect any problematic constructs that could lead to problems down the road. But if you think you can simply download an analyzer and go, you might consider that the FDA requires documented details associated with code quality activities. What standard are you going to check against? What rules in the analyzer cover the standard? Which rules are you suppressing? The implementation of static analysis is enough to cause headaches, gastrointestinal discomfort, and other side-effects. In these webinar slides, we’ll prescribe some static analysis implementation best practices to relieve your FDA compliance symptoms, including:
• The benefits of static analysis and what to look for in an analyzer
• How to automate static analysis execution
• How to integrate static analysis within your software development processes.
• How to reduce noise and stop wasting time manually triaging results
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
Recent revisions to the Payment Card Industry (PCI) guidelines now require organizations to address potential vulnerabilities caused by use of open source components in their applications.
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Sonatype
For the most part, modern software is assembled, not written. More than 90 percent of a typical software application is comprised of third party components, most of which are open source. Custom business logic comprises the remaining 10 percent. This massive reliance on open source components has created new challenges for managing software security, quality and intellectual property. Organizations who rely on custom software are increasingly seeking visibility and control to manage risk and maximize benefit. But to properly manage open source components, you must know as much as possible about them—starting with precisely identifying them. Security, quality and licensing information is of little use if you haven't precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. This paper addresses the pros and cons of various methods used in open source risk management/governance/logistics solutions and how they impact your efficiency and accuracy.
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
Mobile apps fall in scope for a number of regulatory requirements that govern the banking and financial services industries, such as: guidelines from the Federal Financial Institutions Examination Council (FFIEC), the Gramm–Leach–Bliley Act (GLBA), New York State cybersecurity requirements for financial services companies, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act, and more. Luckily, a repeatable mobile app security assessment program and standardized reporting go a long way in both achieving compliance objectives and securing mobile apps and data.
Originally presented on August 22, 2017, NowSecure Security Solutions Engineer Brian Lawrence explains:
-- How and where exactly mobile apps fall in scope for various compliance regimes
-- Mobile app security issues financial institutions must identify and fix for compliance purposes
-- How assessment reports can be used to demonstrate due diligence
As presented via webinar.
The Open Source 360 survey is in its 11th year and surveyed over 800 IT professionals about their use of open source components and technologies. In prior years, this survey was known as the Future Of Open Source.
Key takeaways include:
- Open Source usage is growing within global organizations
- Organizations recognize risks of consumption exist
- Tooling to keep pace with risks is limited
- Contributions to project communities are key to success
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
This webcast will analyze the key differences between the penetration testing and bug bounty models and explore why one company replaced their pen tests over the last three years.
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.
Find out more about the latest trends in software testing in 2017. These webinar slides on “Future Of Testing” gives insights on the new Technology & innovations that will shape the QA industry.
At some point, some people decided to give “error”, “defect” and “bug” slightly different meanings for a slightly more detailed context. For some time now, some folks have been trying to do the same with “testing” and “checking”. Let me attempt to share that point of view and together, let’s see if our perspective changes...
UNIT-I
Review of Software Engineering: Overview of software evolution, SDLC, Testing Process, Terminologies in
Testing: Error, Fault, Failure, Verification, Validation, Difference between Verification and Validation,
Test Cases, Testing Suite, Test Oracles, Impracticality of Testing All data; Impracticality of testing All
Paths. Verification: Verification methods, SRS verification, Source code reviews, User documentation
verification, and Software project audit, Tailoring Software Quality Assurance Program by Reviews,
Walkthrough, Inspection, and Configuration Audits.
UNIT–II (8)
Functional Testing: Boundary Value Analysis, Equivalence Class Testing, Decision Table Based Testing, Cause
Effect Graphing Technique. Structural Testing: Control flow testing, Path testing, Independent paths, Generation
of graph from program, Identification of independent paths, Cyclomatic Complexity, Data Flow Testing,
Mutation Testing.
UNIT-III (8)
Regression Testing: What is Regression Testing? Regression Test cases selection, reducing the number of test
cases, Code coverage prioritization technique. Reducing the number of test cases: Prioritization guidelines,
Priority category, Scheme, Risk Analysis.
Overview of challenges faced while risk assessment of applications and their vulnerabilities. Then demonstrating OWASP risk rating methodology to solve this problem statement.
I presented on this topic at ISC2 Delhi meet in September, 2013
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
The FDA recommends implementing a coding standard during medical device software development. In practice, this means running a static analysis tool to detect any problematic constructs that could lead to problems down the road. But if you think you can simply download an analyzer and go, you might consider that the FDA requires documented details associated with code quality activities. What standard are you going to check against? What rules in the analyzer cover the standard? Which rules are you suppressing? The implementation of static analysis is enough to cause headaches, gastrointestinal discomfort, and other side-effects. In these webinar slides, we’ll prescribe some static analysis implementation best practices to relieve your FDA compliance symptoms, including:
• The benefits of static analysis and what to look for in an analyzer
• How to automate static analysis execution
• How to integrate static analysis within your software development processes.
• How to reduce noise and stop wasting time manually triaging results
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
Recent revisions to the Payment Card Industry (PCI) guidelines now require organizations to address potential vulnerabilities caused by use of open source components in their applications.
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Sonatype
For the most part, modern software is assembled, not written. More than 90 percent of a typical software application is comprised of third party components, most of which are open source. Custom business logic comprises the remaining 10 percent. This massive reliance on open source components has created new challenges for managing software security, quality and intellectual property. Organizations who rely on custom software are increasingly seeking visibility and control to manage risk and maximize benefit. But to properly manage open source components, you must know as much as possible about them—starting with precisely identifying them. Security, quality and licensing information is of little use if you haven't precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. This paper addresses the pros and cons of various methods used in open source risk management/governance/logistics solutions and how they impact your efficiency and accuracy.
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
Mobile apps fall in scope for a number of regulatory requirements that govern the banking and financial services industries, such as: guidelines from the Federal Financial Institutions Examination Council (FFIEC), the Gramm–Leach–Bliley Act (GLBA), New York State cybersecurity requirements for financial services companies, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act, and more. Luckily, a repeatable mobile app security assessment program and standardized reporting go a long way in both achieving compliance objectives and securing mobile apps and data.
Originally presented on August 22, 2017, NowSecure Security Solutions Engineer Brian Lawrence explains:
-- How and where exactly mobile apps fall in scope for various compliance regimes
-- Mobile app security issues financial institutions must identify and fix for compliance purposes
-- How assessment reports can be used to demonstrate due diligence
As presented via webinar.
The Open Source 360 survey is in its 11th year and surveyed over 800 IT professionals about their use of open source components and technologies. In prior years, this survey was known as the Future Of Open Source.
Key takeaways include:
- Open Source usage is growing within global organizations
- Organizations recognize risks of consumption exist
- Tooling to keep pace with risks is limited
- Contributions to project communities are key to success
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
This webcast will analyze the key differences between the penetration testing and bug bounty models and explore why one company replaced their pen tests over the last three years.
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.
Find out more about the latest trends in software testing in 2017. These webinar slides on “Future Of Testing” gives insights on the new Technology & innovations that will shape the QA industry.
At some point, some people decided to give “error”, “defect” and “bug” slightly different meanings for a slightly more detailed context. For some time now, some folks have been trying to do the same with “testing” and “checking”. Let me attempt to share that point of view and together, let’s see if our perspective changes...
If you work in the field of testing/QA then it is likely that you have encountered test automation in one form or another. Maybe you have embraced it and have gained expertise. Or maybe you’ve avoided it because you’re hoping it’s a fad that will fade away. I’m guessing most of you would like to learn it but don’t know where to start.
My goal is simple: to demystify the subject by taking a novice tester with no coding experience through the process of writing a simple automated test using the Page Object framework in Ruby/Cucumber. I will take a volunteer from the audience and transform that person from an ordinary QA professional (or whatever their occupation) into an automation engineer in one short hour.
Don’t be afraid; the code will not bite. Much.
Test automation has become a critical part of most testing efforts. When a highly trained team is creating and maintaining a powerful test automation framework, and Quality is a team practice, and infrastructure teams help create a solid test environment, and database teams help build a production-like test database, each run is clean with few defects found. Unfortunately, test automation runs are almost never clean. Figuring out what went wrong can be time consuming and tedious. Did 1/2 of your tests fail because the environment is just flaky? Or are there real performance or connectivity issues which need to be addressed? The defect might be a ghost hunt as the problem might have been caused by something that will never happen again. In this presentation, Mr. Eakin will discuss how a well thought out defect triage methodology can significantly help any team member triage failed tests. A customized reporting system can also help.
Create testing commandos for creative problem solving!!! by Pradeepa Narayana...QA or the Highway
As testers, you are truly playing a role of creative problem solver in your teams. How often are you able to turn on your creative brains easily? It’s Not easy! Although there are techniques you can use to to get there.
In this highly practical and fun workshop, Pradeepa Narayanaswamy will introduce the attendees to a variety of simple games and techniques. Attendees will practice and take back variety of ideas and concepts to creatively solve your testing problems. You can also use these techniques as a way to creatively collaborate with other testers and team members to create rich ideas.Learning Outcomes:
Audience will:
Understand the usage of games being a vehicle for engaging teams towards creative problem solving
Practice these games within the session as a medium to improve collaboration and create richer ideas with their real life teams
Immediately apply these games at work to uplift their team’s capability to solve problems in a creative manner
Cucumber is a popular tool that is commonly used for writing and running functional tests that can drive the BDD (Behavior Driven Development) process on a project development team. Just as commonly, what started as a nice little garden of cukes can become overgrown and difficult to manage as a project’s life advances. This talk will cover several useful tools that can help you keep your Cucumber suites in shape.
How to deal with bad requirements of softwareBugRaptors
The Software Development Life Cycle (SDLC) starts from requirement gathering and analysis of the requirements. Before freezing requirements a complete analysis is mandatory both by BA and QA team. Always remember, a bad or poorly analyzed requirement can block the road for a good Software Product.
Improving Test Team Throughput via Architecture by Dustin WilliamsQA or the Highway
A lot of modern testing teams are built from people with some automation experience, developers, and people who think code is something used to open a safe. These diverse backgrounds bring a diverse set of ideas, but don’t always find optimal division of work. With some fairly small changes in automated test design, we can leverage the best skills of all team members to not only improve throughput, but to end up with a better overall product. These design principles help isolate truly challenging code problems and help separate the concerns of test structure and test execution. If your team has ever said (with sad faces) “We’re still automating that”, then come discover how tomorrow you can exclaim “That’s Done!”
“Automate everything you can.” This DevOps principle propels automated testing into a primary enabling position for any organization that embarks on a DevOps journey. No longer an option. No longer something we *should* do. Either we automate testing or the bright promise of DevOps will remain out of reach.
In this session, we will examine the multiple ways that automated testing is the lynchpin that enables the flow of software through the DevOps pipeline. And we will see how it changes – but does not eliminate – manual testing. (After all, “everything you can” is not everything.)
Methods for Validating and Testing Software Requirements (lecture slides)Dagmar Monett
Online lecture at the School of Computer Science, University of Hertfordshire, Hatfield, UK, as part of the 11th Europe Week from 2nd to 6th March 2015.
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
Despite being on vulnerability “Top 10” lists for many years, application vulnerabilities such as SQL injection and Cross-Site scripting continue to be significant attack paradigms for organizational data breaches. In fact, the IBM X-Force 2013 Mid-Year Trend and Risk Report confirmed that SQL Injection (SQLi) remained the most common paradigm for attackers to breach organizational security controls. Meanwhile, Cross-Site Scripting continued to be the most common type of application vulnerability.
In this session, we review the latest trends in application and mobile security vulnerabilities, and how to combat them with improved security awareness, organizational controls and application security testing technologies. We also address how to improve application security on your organization’s mobile devices.
This slide deck highlights the continued growth and evolution of Core Security Technologies and helps introduce an entirely new product for enterprise security testing andmeasurement - CORE INSIGHT Enterprise.
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
This slide deck denotes practical and insightful techniques for finding budget for Application Security solutions. It includes ideas for where to look, who to ask, how to speak their language, and provides proof points to make your case.
Ce rapport produit par WhiteHat en mai 2013 offre une vision pertinente des menaces web et des paramètres à prendre en compte pour assurer sécurité et disponibilité.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Penetration Testing is interesting and difficult work.
The main result of this work is Report. It can be used for Customer Presentation, Vulnerabilities Mitigation and Audit Compliance. Report is final proof of completed work and good overall score of Security Status.
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
We offered companies free penetration tests so they could improve their security and better cope with the emerging cyberattacks.
The report covers top security issues we found and experts' recommendations to avoid attacks that disrupt businesses.
Threat modeling is an approach for analyzing the security of an application.
It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application
Threat modeling is not an approach to reviewing code, but it does complement the security code review process.
The inclusion of threat modeling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning.
How to build a highly secure fin tech applicationnimbleappgenie
Indeed, The FinTech industry is a specific sector where developing a successful mobile solution necessitates some extraordinary measures to capture clients’ loyalty. The takeaway is that a good FinTech app is more than simply an excellent companion.
Similar to Bringing the hacker mindset into requirements and testing by Eapen Thomas and Jason Petry (20)
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2. AGENDA
How bad is our application security? Why are we so bad at securing our
applications?
An example application: money transferring application
2 Views of Quality – Producer vs. Consumer
Why are security requirements so hard?
Tools to aid requirements and test analysts
Threat Models
Attack trees
Securing our applications is getting more challenging
Call to action
2
3. YOUR PERSONAL INFO IS PUBLIC
3Source: Symantec Internet Security Threat Report
A New Zero-Day Vulnerability Was Discovered
on Average Each Week in 2015
Advanced attack groups continue to profit from
previously undiscovered flaws in browsers and
website plugins
Over Half a Billion Personal Records Were
Stolen or Lost in 2015
Major Security Vulnerabilities in Three
Quarters of Popular Websites Put Us All at Risk
Web administrators still struggle to stay current on
patches
4. MOBILE VULNERABILITIES ARE OFF THE CHART
4Source: Symantec Internet Security Threat Report
Android users willingly downloaded over two billion
malicious mobile applications last year
Source: http://www.itproportal.com/2016/02/26/smartphone-users-still-taking-cavalier-approach-mobile-security/
Nearly 25 percent of mobile apps contain at least one
high-risk security flaw
An average mobile device connects to 160 different IP
addresses daily
35 percent of mobile device communications are
unencrypted
There is a 50 percent greater chance that games
include a high-risk vulnerability than the average app.
5. SOME SCARY INDUSTRY NUMBERS
84% of cyber attacks are happening at the application layer
Source: Forbes / SAP (March 2015)
98% of applications scanned by Trustwave harbored one or more security
vulnerabilities. Meanwhile, the median number of vulnerabilities was 20 - up
from six the year prior.
Source: 2015 Trustwave Global Security Report
Exploiting many of these application vulnerabilities is “VERY EASY”
5
6. SECURITY VS FUNCTIONAL RQRMTS & TESTING
Security requirements and testing is different from functional
requirements & testing.
In security testing the goal is to find out if the system can stand up to
abusers. Negative tests are critical.
Security test scenarios may not be realistic from a common user
standpoint . Especially when considering web applications, attackers may
interact with the application in critically different ways compared to
regular users.
Anticipating and planning for these scenarios is vital for security testing
Security requirements and testing requires an adversarial mindset, a
"what if" mindset, i.e., the same one hackers use to break systems.
6
7. EXAMPLE REQUIREMENT STORY
Cyclone Transfers – A Pay-pal like service.
“As a logged in customer, I can transfer money, so that I move
money from one of my accounts to another customer’s
account.”
Acceptance Criteria:
The amount of money I transfer must be less than the amount of
money available.
All amounts are in US Dollars.
Transfers may be for fractions of a penny.
7
9. WHAT IS QUALITY?
What are the two views of Quality?
The producer view and the customer view.
The producer view of quality: a product is a quality product if it
meets or conforms to the product requirements. This statement is
usually shortened to: quality means meets requirements.
The customer view of quality: fit for use; the product or service
meets the customer’s needs regardless of the requirements
9
10. THE PRODUCER VIEW OF QUALITY
Ok, so, what is the problem?
We don’t have much/any application security requirements (this is an
industry wide problem)
To create good security requirements, the analyst should review
(Organizational requirements, Privacy requirements, statutory requirements
and industry requirements)
Organizational security policies and standards
Org privacy policies
Regulatory requirements (Sarbanes-Oxley, HIPAA etc.)
Other standards such as PCI DSS, ANSI-X9 for banks etc.
What is the solution? The requirements analysts have to be Creative
10
11. CUSTOMER VIEW OF QUALITY
Let’s now switch to the customer view of quality
Oops! We have a bigger problem!
To the customer, a product is a quality product if it meets the
customer’s needs, regardless of whether the requirements were met.
We have to go beyond requirements (even if we have some security
requirements).
For this, we definitely have to be creative, requires an adversarial
mindset
We talk about some resources from OWASP and other organizations
that can help
11
12. TESTERS HAVE TO BE CREATIVE
Test analysts should be creative in the absence of good security
requirements:
Automated web application security testing tools can help
Explore & Discover – Exploratory testing comes handy
Use Common Sense & Experience - common knowledge that
comes from experience
Discussions, Emails and Meeting Notes
Create and review the high level test scenarios with the business
12
13. OWASP TOP 10
When we talk about web application vulnerabilities, we have to talk about Open Web
Application Security Project (OWASP) Top 10 vulnerabilities.
Please note: this is “a” list, not the exhaustive list of all possible web application
vulnerabilities (there are hundreds of them)
13
14. CURE FOR MOST PROBLEMS: INPUT VALIDATION
Many vulnerabilities are exploited by injecting malicious commands/code through
input forms
TYPE
Always check the data type of the input and make sure it matches the expected data type. For example,
if there is an input box which accepts numeric data and the letter ‘O’ is typed instead of the number
zero, it should not be accepted.
LENGTH
Always check that the data lies within the acceptable range of lengths for the values expected. For
example, a zip code field will be either 5 or 10 (dashes included) digits in length. If nothing is entered, or
if 11 or more digits are entered, it should not be accepted.
FORMAT
Always check that data is in a specified format. For example, dates should be in a specific format (such
as MM/DD/YYYY). If it is not in the correct format, it should not be accepted.
RANGE
Always check that data lies within a specified range of values. For example, the month of a person’s date
of birth should lie between 1 and 12. If it does not fall within that range, it should not be accepted.
14
15. THREAT MODELLING
“Threat modeling is about using models to find security
problems.” – Adam Shostack, Threat Modeling: Designing for
Security
“Coming up with a set of possible attacks you plan to protect
against” – Electronic Frontier Foundation
(https://ssd.eff.org/en/glossary/threat-model)
15
16. THREAT MODELLING EXAMPLE
May be many Data Flow
Diagrams (DFD’s) for one
application/process, at
varying levels of detail.
17. THREAT MODELLING
Can be done with varying levels of formality, and
with different focuses; method adopted should
be tailored to specific application need.
One Common Methodology is Microsoft’s STRIDE model.
Model: decompose the application as a data flow diagram (DFD) to
drive the overall risk analysis process.
Identify: In the next step, threats to the modeled system are
identified and enumerated
Mitigate: After threats have been identified, mitigations to those
threats are selected
Validate: Implement tests to validate threat is mitigated.
Spoofing: Impersonating something or
someone else
Tampering: Modifying data or code
Repudiation: Claiming to have not performed
an action
Information Disclosure: Exposing information
to someone not authorized to see it
Denial of Service: Deny or degrade service to
users
Elevation of Privilege: Gain capabilities
without proper authorization
18. Steal
someone’s
account
Trick someone
into giving me
money
Enter a
negative
number for a
transfer I make
ATTACK TREES
Get someone
else to give me
money
Fool the system
into giving me
money
Get Funds
Transferred to
me with no
work.
18
19. NEGATIVE TEST EXAMPLES
#1 Test: The Single Quote: '
Helpful to make sure SQL injection attacks have been properly
mitigated against
Also useful for ensuring anti-SQL injection protections properly
deal with single quote characters in user data.
19
20. EXAMPLE SINGLE QUOTE TEST
Cyclone Transfers: Test Procedure
Login
Go to all users.
Use Search function to find abcdef
Use Search function to find O’Brian
Expected result: No users found same results for both
Actual Result: Error Message in second case.
20
21. NEGATIVE TEST CASE: HTML CONTENT
Another important test case: Allowing entry of HTML input,
and properly displaying the result. (i.e., as text)
Cross-Site Scripting is the single most commonly
encountered security issue in web applications.
21
22. EXAMPLE HTML CONTENT TEST
Cyclone Transfers: Test Procedure
Click on Sign In, then Sign Up.
Create new account, in Profile Statement section include following
content: <script>alert(123)</script>
Log in a different user, go to all users and search for newly created
user.
Expected Result: Profile Statement is displayed in search
results as typed above.
Actual Result: Alert Box Created.
22
23. NEGATIVE TEST CASE: DIRECT OBJECT ACCESS
If URL’s to content are static, ensure that user’s cannot
access other users’ content.
Unlike previous two cases, very difficult for multi-purpose
scanner tools to detect and respond; requires knowledge of
the application and data access rules.
23
24. EXAMPLE DIRECT OBJECT ACCESS
Cyclone Transfers: Test Procedures
Create New User, as in last Test
In New User, add account, and upload test PDF as “Bank
Statement”.
Click on link to uploaded PDF to validate. Create Bookmark to PDF.
Log in a different account, use bookmark to go to PDF
Expected Result: Access should be denied.
Actual Result: PDF Displayed
24
25. THE RUGGED MANIFESTO
HTTPS://WWW.RUGGEDSOFTWARE.ORG/
I am rugged and, more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was
not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries
who threaten our physical, economic and national security.
I recognize these things – and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in spite of
them.
I am rugged, not because it is easy, but because it is necessary and I am up for the
challenge.
25
26. THINGS ARE NOT GETTING ANY EASIER
Things are not getting any easier, they are
getting really complicated, very fast
Human beings are still the weakest link
Ballooning attack surface
The number of Mobile devices are growing, mobile apps
are getting very functional/complicated
Internet of things is making application security more
difficult with the amount of interconnected devices
26
27. CALL TO ACTION
Don’t be left behind, security requirements elicitation &
testing skills are essential, not optional
A skill you must have to be competitive/marketable/just to
survive
Get trained, get competent in software security
requirements elicitation techniques & security testing
techniques
Resources are lacking
Conferences that cater to analysts, have no tracks or have very few
tracks on application security requirement/testing
27
28. RESOURCES
OWASP
https://www.owasp.org
OWASP Testing Guide (200+ page PDF document is free to download)
https://www.owasp.org/index.php/OWASP_Testing_Project
OWASP Application Security Verification Standard 3.0
https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf
OWASP Broken Web Application Project
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
SANS SWAT checklist
https://software-security.sans.org/resources/swat
Microsoft SDL Threat Modeling Tool
https://www.microsoft.com/en-us/download/confirmation.aspx?id=49168
28
29. THANK YOU!
If you would like to contact us:
Jason Petry (petryj2@nationwide.com)
Eapen Thomas (eapen@nationwide.com)
29