Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing may be dropped to help the team “catch up.” Everyone wants more secure development; they just don’t want to spend time or money to get it. Gene Gotimer describes his experiences with implementing a continuous delivery process in the cloud and how he integrated security testing into that process. Gene discusses how to take advantage of the automated provisioning and automated deploys already being implemented to give more opportunities along the way for security testing without schedule disruption. Learn how you can incrementally mature a practice to build security into the process—without a large-scale, time-consuming, or costly effort.
System Event Monitoring for Active AuthenticationCoveros, Inc.
The authors use system event monitoring to distinguish between the behavioral characteristics of normal and anomalous computer system users. Identifying anomalous behavior at the system event level diminishes privacy concerns and supports the identification of cross-application behavioral patterns.
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing may be dropped to help the team “catch up.” Everyone wants more secure development; they just don’t want to spend time or money to get it. Gene Gotimer describes his experiences with implementing a continuous delivery process in the cloud and how he integrated security testing into that process. Gene discusses how to take advantage of the automated provisioning and automated deploys already being implemented to give more opportunities along the way for security testing without schedule disruption. Learn how you can incrementally mature a practice to build security into the process—without a large-scale, time-consuming, or costly effort.
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Sauce Labs
Test automation is all about running the most tests in the least amount of time. This is great for mature apps, but in the early stages of developing your web or mobile app, developers need to run a number of tests to ensure the app runs at all. Further complicating the issue is that often, your app is architect-ed differently for web and mobile which makes writing automated tests tricky.
Test Automation Specialist Max Saperstone from Coveros will cover some simple testing examples and demonstrate how to expand these for testing over multiple web architectures. He will briefly cover the difference in the design of these sites with a focus on how tests can be designed to overcome their limitations, minimizing duplicate code, and following best practices.
Application Security in a DevOps World: Three Methods for Shifting Left Operations has always resided clearly outside of development. Release candidates are tossed over the fence by development and operations was expected to “just make it work.” The same can be said about many other activities, including application security. This isn’t intended to be derision aimed at development—it’s just a feature of how processes have historically been demarcated. But with the emergence of the DevOps movement, organizations are beginning to apply the “shift-left” principle associated with early testing toward other facets of application development. Security, which has been treated as something you can test into an application, should be built into an application according to DevOps principles. In this presentation, we discuss how to get development and operations working together to build security into the application. We’ll outline three methods and discuss their merits and drawbacks:
• Penetration testing: This is the approach most commonly used.
• Hybrid testing: By applying flow (dynamic analysis) early in the process, you can that look for possible paths through the code that lead to security flaws.
• Preventative testing: By taking a standards-based approach and implementing a set of activities that target defects that lead to security vulnerabilities, you are able to get ahead of security issues that diminish the effectiveness of DevOps approaches.
Norse Live Attack Map http://map.ipviking.com/
8,000,000 sensors in 200 data centers in 50 countries – designed to look like everything
The top 5,000,000 worst IPs on the internet
"There are very rarely attacks against Canada, for whatever reason. I guess they're just too nice."
See also http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16447&view=map for DDOS live
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
System Event Monitoring for Active AuthenticationCoveros, Inc.
The authors use system event monitoring to distinguish between the behavioral characteristics of normal and anomalous computer system users. Identifying anomalous behavior at the system event level diminishes privacy concerns and supports the identification of cross-application behavioral patterns.
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing may be dropped to help the team “catch up.” Everyone wants more secure development; they just don’t want to spend time or money to get it. Gene Gotimer describes his experiences with implementing a continuous delivery process in the cloud and how he integrated security testing into that process. Gene discusses how to take advantage of the automated provisioning and automated deploys already being implemented to give more opportunities along the way for security testing without schedule disruption. Learn how you can incrementally mature a practice to build security into the process—without a large-scale, time-consuming, or costly effort.
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Sauce Labs
Test automation is all about running the most tests in the least amount of time. This is great for mature apps, but in the early stages of developing your web or mobile app, developers need to run a number of tests to ensure the app runs at all. Further complicating the issue is that often, your app is architect-ed differently for web and mobile which makes writing automated tests tricky.
Test Automation Specialist Max Saperstone from Coveros will cover some simple testing examples and demonstrate how to expand these for testing over multiple web architectures. He will briefly cover the difference in the design of these sites with a focus on how tests can be designed to overcome their limitations, minimizing duplicate code, and following best practices.
Application Security in a DevOps World: Three Methods for Shifting Left Operations has always resided clearly outside of development. Release candidates are tossed over the fence by development and operations was expected to “just make it work.” The same can be said about many other activities, including application security. This isn’t intended to be derision aimed at development—it’s just a feature of how processes have historically been demarcated. But with the emergence of the DevOps movement, organizations are beginning to apply the “shift-left” principle associated with early testing toward other facets of application development. Security, which has been treated as something you can test into an application, should be built into an application according to DevOps principles. In this presentation, we discuss how to get development and operations working together to build security into the application. We’ll outline three methods and discuss their merits and drawbacks:
• Penetration testing: This is the approach most commonly used.
• Hybrid testing: By applying flow (dynamic analysis) early in the process, you can that look for possible paths through the code that lead to security flaws.
• Preventative testing: By taking a standards-based approach and implementing a set of activities that target defects that lead to security vulnerabilities, you are able to get ahead of security issues that diminish the effectiveness of DevOps approaches.
Norse Live Attack Map http://map.ipviking.com/
8,000,000 sensors in 200 data centers in 50 countries – designed to look like everything
The top 5,000,000 worst IPs on the internet
"There are very rarely attacks against Canada, for whatever reason. I guess they're just too nice."
See also http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16447&view=map for DDOS live
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
As consumer demands drive vehicle software to new limits, the rapid evolution of embedded software technology brings security and safety software challenges. These challenges are made more difficult because vehicle software continues to increase in size and complexity, elevating the risk of failures. Regardless of the difficulty, safety critical software must be secure and reliable to avoid severely damaging a company’s reputation and competitive advantage.
At Rogue Wave, it is our job to help customers ensure their software is secure and reliable. Our source code analysis tools have analyzed billions of lines of code across the mobile device, automotive, consumer electronics, medical technologies, telecom, military and aerospace sectors. Although the automotive industry comes with some unique challenges and requirements to ensure security and compliance, we know how to work in complex environments given our experience with more than 3,000 customers over the last 25 years, including the biggest brands in the automotive industry.
During a recent webinar, Meera Rao, DevSecOps Practice Director with Synopsys Software Integrity Group spoke on Risk Based Adaptive DevSecOps.
Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.
For more information, please visit our website at https://www.synopsys.com/devops
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
Innovating Faster with Continuous Application Security Jeff Williams
DevSecOps tutorial and demonstration. Build your pipeline with IAST, RASP, and OSS. Try Contrast community edition full strength DevSecOps platform for testing, protecting, and open source analysis -- all for free. https://www.contrastsecurity.com/contrast-community-edition
How-To-Guide for Software Security Vulnerability RemediationDenim Group
The security industry often pays a tremendous amount of attention to finding security vulnerabilities. This is done via code review, penetration testing and other assessment methods. Unfortunately, finding vulnerabilities is only the first step toward actually addressing the associated risks, and addressing these risks is arguably the most critical step in the vulnerability management process. Complicating matters is the fact that most application security vulnerabilities cannot be fixed by members of the security team but require code-level changes in order to successfully address the underlying issue. Therefore, security vulnerabilities need to be communicated and transferred to software development teams and then prioritized and added to their workloads. This paper ex- amines steps required to remediate software-level vulnerabilities properly, and recommends best practices organizations can use to be successful in their remediation efforts.
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
OWASP DC - November 2015 Talk
Abstract:
This presentation will start with an overview of CERT’s view of the tools, technologies and processes for building secure software from requirements to operational deployment, including architecture, design, coding and testing. After providing the context for building secure software, the discussion will focus on the current state of the CERT Coding Standards: what is available, how the rules evolve and how the rules are put into practice.
Bio:
Dr. Mark Sherman is the Technical Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on a mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
Building security into software is harder than it should be. This article explores a way to align application security practices
with other software development best practices in order to make building security in easier to manage and more cost effective.
In particular, this article looks at combining continuous integration (CI) with security testing and secure static code analysis.
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
Published on Nov 26, 2013
AppSec at DevOps Speed and Portfolio Scale - Jeff Williams
Watch this talk on YouTube: https://www.youtube.com/watch?v=cIvOth0fxmI
Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.
Speaker
Jeff Williams
CEO, Aspect Security
Jeff is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do their own continuous application security in real time.
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
In 2013, the Open Web Application Security Project (OWASP) was updated to include “A9: using components with known vulnerabilities.” This paper explains this new threat with practical ideas for reducing risk from open source components which now comprise 80% of an average application.
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
For the security industry to mature more data needs to be available about the true cost of security vulnerabilities. Data and statistics are starting to be released, but most of this currently focuses on the prevalence of different types of vulnerabilities and incidents rather than the costs of addressing the underlying issues. This session presents statistics from the remediation of 15 web-based applications in order to provide insight into the actual cost of remediating application-level vulnerabilities.
The presentation begins by setting out a structured model for software security remediation projects so that time spent on tasks can be consistently tracked. It lays out possible sources of bias in the underlying data to allow for better-informed consumption of the final analysis. Also it discusses different approaches to remediating vulnerabilities such as fixing easy vulnerabilities first versus fixing serious vulnerabilities first.
Next, historical data from the fifteen remediation projects is presented. This data consists of the average cost to remediate specific classes of vulnerabilities – cross-site scripting, SQL injection and so on – as well as the overall project composition to demonstrate the percentage of time spent on actual fixes as well as the percentages of time spent on other supporting activities such as environment setup, testing and verification and deployment. The data on the remediation of specific vulnerabilities allows for a comparison of the relative difficulty of remediating different vulnerability types. The data on the overall project composition can be used to determine the relative “efficiency” of different projects.
Finally, analysis of the data is used to create a model for estimating remediation projects so that organizations can create realistic estimates in order to make informed remediate/do not remediate decisions. In addition, characteristics of the analyzed projects are mapped to project composition to demonstrate best practices that can be used to decrease the cost of future remediation efforts.
Unrestrained access to a trustworthy and realistic test environment—including the application under test (AUT) and all of its dependent components—is essential for achieving "quality@speed" with Agile, DevOps, and Continuous Delivery.
Service Virtualization is an emerging technology that provides DevTest teams access to a complete test environment by simulating the dependent components that are beyond your control, still evolving, or too complex to configure in a test lab.
Join us for a live webinar on Service Virtualization and how it impacts software testing Access, Behavior, Cost, and Speed.
Learn the basics of Service Virtualization, including how it can help your organization:
Provide access to a complete test environment including all critical dependent system components
Alter the behavior of those dependent components in ways that would be impossible with a staged test environment—enabling you to test earlier, faster, and more completely
Isolate different layers of the application for debugging and performance testing
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
This presentation goes over core principles involved in launching secure web applications and effectively managing security in a cloud services environment.
Third Party Performance (Velocity, 2014)Guy Podjarny
Third party components are a part of any modern site: JS libs, analytics, trackers, share buttons, ads. Many components, each adding its performance cost, cause render delays or can effectively take your site down. This isn’t your code nor your servers, so what can you do about it?
This presentation will answer this question with strategies and tactics for keeping 3rd parties from taking you down.
This talk was given at Velocity Santa Clara, 2014: The presentation from Velocity Santa Clara, 2014 (http://velocityconf.com/velocity2014/public/schedule/detail/35448).
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
Organizations often have to deploy arbitrary applications on their infrastructure without thorough security testing. These applications can contain serious security vulnerabilities that can be detected and exploited remotely and in an automated manner. The applications themselves and the infrastructure they are deployed on are then at risk of exploitation. Configuration changes or vendor-provided software updates and patches are typically used to address infrastructure vulnerabilities. However, application-level vulnerabilities often require coding changes to be fully addressed.
Virtual patching is a technique where targeted rules are created for web application firewalls (WAFs) or other IDS/IPS technologies to help mitigate specific known application vulnerabilities. This allows applications to be “virtually” patched prior to actual code-level patches being applied. These virtual patches are most often applicable to vulnerabilities that have a strong detection signature such as SQL injection and cross-site scripting (XSS) because the detection rules can be targeted to detect these signatures, but limited only to specific parts of the application attack surface where the application is known to be vulnerable.
This presentation examines the automatic creation of virtual patches from automated web application security scanner results and explores scenarios where this approach might be successfully employed. It discusses theoretical approaches to the problem and provides specific demonstrations using Open Source tools such as the skipfish and w3af scanners and Snort and mod_security protection technologies. Finally, it looks at opportunities to apply these techniques to protect arbitrary applications deployed into arbitrary infrastructures so that short-term protection against common web application attacks can be consistently applied while minimizing false blocking of legitimate traffic.
Stakeholders always want to release when they think we’ve finished testing. They believe we have discovered “all of the important problems” and “verified all of the fixes”—and now it’s time to reap the rewards. However, as testers we still can assist in improving software by learning about problems after code has rolled live—especially if it’s a website. Jon Bach explores why and how at eBay they have a post-ship site quality mindset in which testers continue to learn from live A/B testing, operational issues, customer sentiment analysis, discussion forums, and customer call patterns—just to name a few. Jon explains what eBay’s Live Site Quality team learns every day about what they just released to production. Take away new ideas on what you can do to test and improve value—even after you’ve shipped.
The nature of exploration, coupled with the ability of testers to rapidly apply their skills and experience, make exploratory testing a widely used test approach—especially when time is short. Unfortunately, exploratory testing often is dismissed by project managers who assume that it is not reproducible, measurable, or accountable. If you have these concerns, you may find a solution in a technique called session-based test management (SBTM), developed by Jon Bach and his brother James to specifically address these issues. In SBTM, testers are assigned areas of a product to explore, and testing is time boxed in “sessions” that have mission statements called “charters” to create a meaningful and countable unit of work. Jon discusses—and you practice—the skills of exploration using the SBTM approach. He demonstrates a freely available, open source tool to help manage your exploration and prepares you to implement SBTM in your test organization.
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
As consumer demands drive vehicle software to new limits, the rapid evolution of embedded software technology brings security and safety software challenges. These challenges are made more difficult because vehicle software continues to increase in size and complexity, elevating the risk of failures. Regardless of the difficulty, safety critical software must be secure and reliable to avoid severely damaging a company’s reputation and competitive advantage.
At Rogue Wave, it is our job to help customers ensure their software is secure and reliable. Our source code analysis tools have analyzed billions of lines of code across the mobile device, automotive, consumer electronics, medical technologies, telecom, military and aerospace sectors. Although the automotive industry comes with some unique challenges and requirements to ensure security and compliance, we know how to work in complex environments given our experience with more than 3,000 customers over the last 25 years, including the biggest brands in the automotive industry.
During a recent webinar, Meera Rao, DevSecOps Practice Director with Synopsys Software Integrity Group spoke on Risk Based Adaptive DevSecOps.
Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.
For more information, please visit our website at https://www.synopsys.com/devops
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
Innovating Faster with Continuous Application Security Jeff Williams
DevSecOps tutorial and demonstration. Build your pipeline with IAST, RASP, and OSS. Try Contrast community edition full strength DevSecOps platform for testing, protecting, and open source analysis -- all for free. https://www.contrastsecurity.com/contrast-community-edition
How-To-Guide for Software Security Vulnerability RemediationDenim Group
The security industry often pays a tremendous amount of attention to finding security vulnerabilities. This is done via code review, penetration testing and other assessment methods. Unfortunately, finding vulnerabilities is only the first step toward actually addressing the associated risks, and addressing these risks is arguably the most critical step in the vulnerability management process. Complicating matters is the fact that most application security vulnerabilities cannot be fixed by members of the security team but require code-level changes in order to successfully address the underlying issue. Therefore, security vulnerabilities need to be communicated and transferred to software development teams and then prioritized and added to their workloads. This paper ex- amines steps required to remediate software-level vulnerabilities properly, and recommends best practices organizations can use to be successful in their remediation efforts.
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
OWASP DC - November 2015 Talk
Abstract:
This presentation will start with an overview of CERT’s view of the tools, technologies and processes for building secure software from requirements to operational deployment, including architecture, design, coding and testing. After providing the context for building secure software, the discussion will focus on the current state of the CERT Coding Standards: what is available, how the rules evolve and how the rules are put into practice.
Bio:
Dr. Mark Sherman is the Technical Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on a mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
Building security into software is harder than it should be. This article explores a way to align application security practices
with other software development best practices in order to make building security in easier to manage and more cost effective.
In particular, this article looks at combining continuous integration (CI) with security testing and secure static code analysis.
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
Published on Nov 26, 2013
AppSec at DevOps Speed and Portfolio Scale - Jeff Williams
Watch this talk on YouTube: https://www.youtube.com/watch?v=cIvOth0fxmI
Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.
Speaker
Jeff Williams
CEO, Aspect Security
Jeff is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do their own continuous application security in real time.
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
In 2013, the Open Web Application Security Project (OWASP) was updated to include “A9: using components with known vulnerabilities.” This paper explains this new threat with practical ideas for reducing risk from open source components which now comprise 80% of an average application.
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
For the security industry to mature more data needs to be available about the true cost of security vulnerabilities. Data and statistics are starting to be released, but most of this currently focuses on the prevalence of different types of vulnerabilities and incidents rather than the costs of addressing the underlying issues. This session presents statistics from the remediation of 15 web-based applications in order to provide insight into the actual cost of remediating application-level vulnerabilities.
The presentation begins by setting out a structured model for software security remediation projects so that time spent on tasks can be consistently tracked. It lays out possible sources of bias in the underlying data to allow for better-informed consumption of the final analysis. Also it discusses different approaches to remediating vulnerabilities such as fixing easy vulnerabilities first versus fixing serious vulnerabilities first.
Next, historical data from the fifteen remediation projects is presented. This data consists of the average cost to remediate specific classes of vulnerabilities – cross-site scripting, SQL injection and so on – as well as the overall project composition to demonstrate the percentage of time spent on actual fixes as well as the percentages of time spent on other supporting activities such as environment setup, testing and verification and deployment. The data on the remediation of specific vulnerabilities allows for a comparison of the relative difficulty of remediating different vulnerability types. The data on the overall project composition can be used to determine the relative “efficiency” of different projects.
Finally, analysis of the data is used to create a model for estimating remediation projects so that organizations can create realistic estimates in order to make informed remediate/do not remediate decisions. In addition, characteristics of the analyzed projects are mapped to project composition to demonstrate best practices that can be used to decrease the cost of future remediation efforts.
Unrestrained access to a trustworthy and realistic test environment—including the application under test (AUT) and all of its dependent components—is essential for achieving "quality@speed" with Agile, DevOps, and Continuous Delivery.
Service Virtualization is an emerging technology that provides DevTest teams access to a complete test environment by simulating the dependent components that are beyond your control, still evolving, or too complex to configure in a test lab.
Join us for a live webinar on Service Virtualization and how it impacts software testing Access, Behavior, Cost, and Speed.
Learn the basics of Service Virtualization, including how it can help your organization:
Provide access to a complete test environment including all critical dependent system components
Alter the behavior of those dependent components in ways that would be impossible with a staged test environment—enabling you to test earlier, faster, and more completely
Isolate different layers of the application for debugging and performance testing
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
This presentation goes over core principles involved in launching secure web applications and effectively managing security in a cloud services environment.
Third Party Performance (Velocity, 2014)Guy Podjarny
Third party components are a part of any modern site: JS libs, analytics, trackers, share buttons, ads. Many components, each adding its performance cost, cause render delays or can effectively take your site down. This isn’t your code nor your servers, so what can you do about it?
This presentation will answer this question with strategies and tactics for keeping 3rd parties from taking you down.
This talk was given at Velocity Santa Clara, 2014: The presentation from Velocity Santa Clara, 2014 (http://velocityconf.com/velocity2014/public/schedule/detail/35448).
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
Organizations often have to deploy arbitrary applications on their infrastructure without thorough security testing. These applications can contain serious security vulnerabilities that can be detected and exploited remotely and in an automated manner. The applications themselves and the infrastructure they are deployed on are then at risk of exploitation. Configuration changes or vendor-provided software updates and patches are typically used to address infrastructure vulnerabilities. However, application-level vulnerabilities often require coding changes to be fully addressed.
Virtual patching is a technique where targeted rules are created for web application firewalls (WAFs) or other IDS/IPS technologies to help mitigate specific known application vulnerabilities. This allows applications to be “virtually” patched prior to actual code-level patches being applied. These virtual patches are most often applicable to vulnerabilities that have a strong detection signature such as SQL injection and cross-site scripting (XSS) because the detection rules can be targeted to detect these signatures, but limited only to specific parts of the application attack surface where the application is known to be vulnerable.
This presentation examines the automatic creation of virtual patches from automated web application security scanner results and explores scenarios where this approach might be successfully employed. It discusses theoretical approaches to the problem and provides specific demonstrations using Open Source tools such as the skipfish and w3af scanners and Snort and mod_security protection technologies. Finally, it looks at opportunities to apply these techniques to protect arbitrary applications deployed into arbitrary infrastructures so that short-term protection against common web application attacks can be consistently applied while minimizing false blocking of legitimate traffic.
Stakeholders always want to release when they think we’ve finished testing. They believe we have discovered “all of the important problems” and “verified all of the fixes”—and now it’s time to reap the rewards. However, as testers we still can assist in improving software by learning about problems after code has rolled live—especially if it’s a website. Jon Bach explores why and how at eBay they have a post-ship site quality mindset in which testers continue to learn from live A/B testing, operational issues, customer sentiment analysis, discussion forums, and customer call patterns—just to name a few. Jon explains what eBay’s Live Site Quality team learns every day about what they just released to production. Take away new ideas on what you can do to test and improve value—even after you’ve shipped.
The nature of exploration, coupled with the ability of testers to rapidly apply their skills and experience, make exploratory testing a widely used test approach—especially when time is short. Unfortunately, exploratory testing often is dismissed by project managers who assume that it is not reproducible, measurable, or accountable. If you have these concerns, you may find a solution in a technique called session-based test management (SBTM), developed by Jon Bach and his brother James to specifically address these issues. In SBTM, testers are assigned areas of a product to explore, and testing is time boxed in “sessions” that have mission statements called “charters” to create a meaningful and countable unit of work. Jon discusses—and you practice—the skills of exploration using the SBTM approach. He demonstrates a freely available, open source tool to help manage your exploration and prepares you to implement SBTM in your test organization.
Throughout the years, Lightning Talks have been a popular part of the STAR conferences. If you’re not familiar with the concept, Lightning Talks consists of a series of five-minute talks by different speakers within one presentation period. Lightning Talks are the opportunity for speakers to deliver their single biggest bang-for-the-buck idea in a rapid-fire presentation. And now, lightning has struck the STAR keynotes. Some of the best-known experts in testing—James Bach, Jon Bach, Michael Bolton, Jennifer Bonine, Hans Buwalda, Bob Galen, John Fodeh, Dawn Haynes, Geoff Horne, and Griffin Jones—will step up to the podium and give you their best shot of lightning. Get ten keynote presentations for the price of one—and have some fun at the same time.
Innovations in Test Automation: It’s Not All about RegressionTechWell
Although classic test automation, which usually focuses on regression testing, has its its place in testing, there is much more you can do to improve testing productivity and its value to the project and your organization. Through experience-based examples, video clips, and demonstrations, John Fodeh shares one company’s innovation journey to improve its test automation practice. John illustrates how they learned to apply automated “test monkeys” that explore the software in new ways each time a test is executed. Then, he describes how the test team uses weighted probability tables to increase each test’s “intelligence” factor. Find out how they implemented model-based testing to improve automation effectiveness and how this practice led to the even more valuable behavior-driven testing approach they employ today. With these and other alternative approaches you, too, can get more mileage from your automation efforts. Join John to get inspired and start your own journey of innovation with new ideas that enhance your test automation strategy.
New Testing Standards Are on the Horizon: What Will Be Their Impact?TechWell
The history of testing standards has not always been auspicious. Testing standards documents have been expensive to obtain, limited in scope, inflexible in expectations, and inconsistent. However, they contain important lessons learned from experienced practitioners—if a tester is willing to overcome the obstacles to get to the useful information. A set of new international standards is coming. These new standards are tailorable, consistent, and comprehensive in scope. In addition, they will be freely available (some are already). Claire Lohr provides a complete roadmap to all of the available—or soon-to-be-available—testing-related standards. Learn where to go for testing process guidelines, complete definitions of all test design techniques, full examples of test documentation (for both agile and traditional projects), and free international standards documents. Take away a “start-up guide” for how different types of projects can use the new standards along with valuable tips and practical lessons you can get from these standards.
Tune Agile Test Strategies to Project and Product MaturityTechWell
For optimum results, you need to tune agile project's test strategies to fit the different stages of project and product maturity. Testing tasks and activities should be lean enough to avoid unnecessary bottlenecks and robust enough to meet your testing goals. Exploring what "quality" means for various stakeholder groups, Anna Royzman describes testing methods and styles that fit best along the maturity continuum. Anna shares her insights on strategic ways to use test automation, when and how to leverage exploratory testing as a team activity, ways to prepare for live pilots and demos of the real product, approaches to refine test coverage based on customer feedback, and techniques for designing a production "safety net" suite of automated tests. Leave with a better understanding of how to satisfy your stakeholders’ needs for quality-and a roadmap for tuning your agile test strategies.
Build Your Own Performance Test Lab in the CloudTechWell
Many cloud-based performance and load testing tools claim to offer “cost-effective, flexible, pay-as-you-go pricing.” However, the reality is often neither cost-effective nor flexible. With many vendors, you will be charged whether or not you use the time (not cost effective), and you must pre-schedule test time (not always when you want and not always flexible). In addition, many roadblocks are thrown up—from locked-down environments that make it impossible to load test anything other than straight-forward applications, to firewall, security, and IP spoofing issues. Join Leslie Segal to discover when it makes sense to set up your own cloud-based performance test lab, either as a stand-alone or as a supplement to your current lab. Learn about the differences in licensing tools, running load generators on virtual machines, the real costs, and data about various cloud providers. Take home a road map for setting up your own performance test lab—in less than twenty-four hours.
Introducing Mobile Testing to Your OrganizationTechWell
Mobile is an integral part of our daily lives, and if it’s not already part of your business model, it soon will be. When that happens, will you be ready to tackle the demands of testing web and native mobile apps? From the perspective of a test lead, Eric Montgomery describes the challenges Progressive Insurance, a company with a strong web presence, recently faced—learning new technologies, transforming the approach of testers from PC-based to mobile-based, and working with testing tools in a market that has yet to see a definitive leader emerge. Learn from Eric's experiences and return to your job with ideas on training web testers to be mobile testers. Take back proven techniques for testing mobile devices, ways of choosing devices for test, methods of sharing information, developing a sense of community among testers, choosing tools from the available market, and keeping up with rapid technology changes.
In today’s competitive world, more and more HTML5 applications are being developed for mobile and desktop platforms. Spotify has partnered with world-renowned organizations to create high quality apps to enrich the user experience. Testing a single application within a few months can be a challenge. But it's a totally different beast to test multiple world-class music discovery apps every week. Alexander Andelkovic shares insights into the challenges they face coordinating all aspects of app testing to meet their stringent testing requirements. Alexander describes an agile way to use the Kanban process to help out. He shares lessons learned including the need for management of acceptable levels of quality, support, smoke tests, and development guidelines. If you are thinking of starting agile app development or want to streamline your current app development process, Alexander’s experience gives you an excellent starting point.
Testers have been taught they are responsible for all testing. Some even say “It’s not tested until I run the product myself.” Eric Jacobson thinks this old school way of thinking can hurt a tester’s reputation and—even worse—may threaten team success. Learning to recognize opportunities where you may NOT have to test can eliminate bottlenecks and make you everyone’s favorite tester. Eric shares eight patterns from his personal experiences where not testing was the best approach. Examples include patches for critical production problems that can’t get worse, features that are too technical for the tester, cosmetic bug fixes with substantial test setup, and more. Challenge your natural testing assumptions. Become more comfortable with approaches that don’t require testing. Eliminate waste in your testing process by asking, “Does this need to be tested? By me?” Take back ideas to manage not testing including using lightweight documentation for justification. Not testing may actually be a means to better testing.
Keynote: Lean Software Delivery: Synchronizing Cadence with ContextTechWell
Daily, we are told that adopting agile, PaaS, DevOps, crowdsourced testing, or any of the myriad of current buzzwords will help us deliver better software faster. However, for the majority of software development organizations, naïve agile transformations that don’t look beyond the needs of developers will fail to produce the promised results. Mik Kersten says that instead of focusing on development alone to transform our software delivery, we must acknowledge the different contexts and mismatched cadences that define the work of business analysts, developers, testers, and project managers. For example, a developer working in an agile team may deliver code every two weeks, but the performance testing group may need more time for its work, while the operations group has a planned release cycle of once per quarter. To achieve optimum flow, which is the goal of end-to-end lean delivery, we must identify the different cadences of each group and interconnect the collaborators and their work—requirements, development, testing, and deployment.
Planning Your Agile Testing: A Practical GuideTechWell
Traditional test plans are incompatible with agile software development because we don't know all the details about all the requirements up front. However, in an agile software release, you still must decide what types of testing activities will be required—and when you need to schedule them. Janet Gregory explains how to use the Agile Testing Quadrants, a model identifying the different purposes of testing, to help your team understand your testing needs as you plan the next release. Janet introduces you to alternative, lightweight test planning tools that allow you to plan and communicate your big picture testing needs and risks. Learn how to decide who does what testing—and when. Determine what types of testing to consider when planning an agile release, the infrastructure and environments needed for testing, what goes into an agile “test plan,” how to plan for acquiring test data, and lightweight approaches for documenting your tests and recording test results.
Specification-by-Example: A Cucumber ImplementationTechWell
We've all been there. You work incredibly hard to develop a feature and design tests based on written requirements. You build a detailed test plan that aligns the tests with the software and the documented business needs. When you put the tests to the software, it all falls apart because the requirements were updated without informing everyone. But help is at hand. Enter business-driven development and Cucumber, a tool for running automated acceptance tests. Join Mary Thorn as she explores the nuances of Cucumber and shows you how to implement specification-by-example, behavior-driven development, and agile acceptance testing. By fostering collaboration for implementing active requirements via a common language and format, Cucumber bridges the communication gap between business stakeholders and implementation teams. If you experience developers not coding to requirements, testers not getting requirements updates, or customers who feel out of the loop and don't get what they ask for, be here!
Pay Now or Pay More Every Day: Reduce Technical Debt Now!TechWell
Is your team missing delivery dates? Is your velocity inconsistent from sprint to sprint? Are customers complaining about defects or the time it takes to add new features? These are signs that you are mired in technical debt-a metaphor that describes the long-term costs of doing something in a quick and dirty way and not going back to clean up the mess. Fadi Stephan shares a technical debt management approach to help you make prudent decisions on how much effort to invest in reducing technical debt. Discover ways to measure the quality of your current code base and determine the cost of eventual rework hanging over your system. Learn how to engage executives and get buy-in on a debt removal plan that will improve system design, increase the quality of your code, and return your team to high productivity. If you are burdened with technical debt, the choice is to pay now or continue paying more every day-forever.
It Seemed a Good Idea at the Time: Intelligent Mistakes in Test AutomationTechWell
Some test automation ideas seem very sensible at first glance but contain pitfalls and problems that can and should be avoided. Dot Graham describes five of these “intelligent mistakes”—1. Automated tests will find more bugs quicker. (Automation doesn’t find bugs, tests do.) 2. Spending a lot on a tool must guarantee great benefits. (Good automation does not come “out of the box” and is not automatic.) 3. Let’s automate all of our manual tests. (This may not give you better or faster testing, and you will miss out on some benefits.) 4. Tools are expensive so we have to show a return on investment. (This is not only surprisingly difficult but may actually be harmful.) 5. Because they are called “testing tools,” they must be tools for testers to use. (Making testers become test automators may be damaging to both testing and automation.) Join Dot for a rousing discussion of “intelligent mistakes”—so you can be smart enough to avoid them.
Exploratory testing is an approach to testing that emphasizes the freedom and responsibility of testers to continually optimize the value of their work. It is the process of three mutually supportive activities done in parallel: learning, test design, and test execution. With skill and practice, exploratory testers typically uncover an order of magnitude more problems than when the same amount of effort is spent on procedurally scripted testing. All testers conduct exploratory testing in one way or another, but few know how to do it systematically to obtain the greatest benefits. Even fewer can articulate the process. Jon Bach looks at specific heuristics and techniques of exploratory testing that will help you get the most from this highly productive approach. Jon focuses on the skills and dynamics of exploratory testing, and how it can be combined with scripted approaches.
Better Security Testing: Using the Cloud and Continuous Delivery Coveros, Inc.
Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing may be dropped to help the team “catch up.” Everyone wants more secure development; they just don’t want to spend time or money to get it. Gene Gotimer describes his experiences with implementing a continuous delivery process in the cloud and how he integrated security testing into that process. Gene discusses how to take advantage of the automated provisioning and automated deploys already being implemented to give more opportunities along the way for security testing without schedule disruption. Learn how you can incrementally mature a practice to build security into the process—without a large-scale, time-consuming, or costly effort.
How the Cloud Shifts the Burden of Security to DevelopmentErika Barron
The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Developers are extremely well-poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome. [Presented at Cloud Expo - November 2014]
The best way to design secure software productsLabSharegroup
Our security focused software development services specializing in helping company leaders like yourself. We promise to get your software development two times quicker and security focused so you have more time to do new releases, and other things you need to do.
Interested in getting your company brand secured by an experienced team that knows the way?
Customers love how easy to start with Java OSGi development framework.
The big benefit is that it helps business leaders, managers to control more about software design, security related risks. They can identify immediately what risks have about the product, which features are risky, and much more. This helps them change their development process to match the security standards, ultimately increasing company brand recognition and generating more sales.
In many organizations, agile development processes are driving the pursuit of faster software releases, which has spawned a set of new practices called DevOps. DevOps stresses communications and integration between development and operations, including continuous integration, continuous delivery, and rapid deployments. Because DevOps practices require confidence that changes made to the code base will function as expected. automated testing is an essential ingredient Join Jeff Payne as he discusses the unique challenges associated with integrating automated testing into continuous integration/continuous delivery (CI/CD) environments. Learn the internals of how CI/CD works, appropriate tooling, and test integration points. Find out howpto integrate your existing test automation frameworks into a DevOps environment and leave with roadmap for integrating test automation with continuous integration and delivery.
David Cass discusses the role of security and how best practices can be used to accelerate cloud adoption and success.
Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h
Speaker: David Cass (Vice President, Cloud and SaaS CISO)
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
In this webinar, Sumo Logic VP of Security and Compliance George Gerchow dives into how to make the shift to DevSecOps, discussing how to:
- Incorporate fundamental and high impact security best practices into your current DevOps operations
- Gain visibility into your compliance posture
- Identify potential risks and threats in your environments
The realm of cloud computing is evolving at a breathtaking pace, and this rapid transformation extends to various sectors, including software development and testing. Cloud-based testing, which leverages cloud resources to carry out comprehensive testing procedures, has emerged as a game-changer in the software testing industry. As organizations continue to adopt cloud computing services, it's important to explore the future trends that will shape the landscape of cloud-based testing.
Kovair DevOps – Major Value Propositions
1. Provides Low Code/No Code Drag-and-Drop configurable task-based CI/CD Pipeline
2. Supports combination of both manual and automated activities in a pipeline wherever necessary for process adherence
3. Monitor and manage multiple pipelines across multiple projects with complete visibility to Value Stream
4. Supports edge computing with deployments over public/private/hybrid cloud, Kubernetes clusters or any on premise and VM environment
5. The platform is certified by Red Hat Enterprise Linux and OpenShift container platform. Available on both Azure and Amazon cloud marketplace.
6. Smooth integration with ESB like Omnibus that supports 110+ integration beyond the boundary of CI/CD
7. Application-centric security services to predict, detect, mitigate and respond to threats – a separate Kovair service
Learn more - https://www.kovair.com/devops/
Devops security-An Insight into Secure-SDLCSuman Sourav
The integration of Security into DevOps is already happening out of necessity. DevOps is a powerful paradigm shift and companies often don’t understand how security fits. Aim of this session is to give an overview of DevOps security and How security can be integrated and automated into each phases of software development life-cycle.
Measures to ensure Cyber Security in a serverless environmentFibonalabs
A serverless environment/architecture is a manner in which applications are run without any physical server or without a specific infrastructure. It is a virtual setup where the server along with the applications is managed via cloud computing. It has innumerable benefits.
Next generation software testing trendsArun Kulkarni
Over 2/3rd of software development projects using agile method to deliver software quickly. As software releases become more frequent, testing processes have to keep pace and adopt continuous QA.
Mobile App Testing Strategy by RapidValue SolutionsRapidValue
There has been an increase in the adoption of smartphones, tablets and several mobile devices with the passage of time. And it has led to an enormous growth of mobile applications in recent years. Mobile device is considered to be the primary medium of interaction for the customers and also, businesses worldwide. And mobile applications are, actually, driving the communication.
People, generally, do not give much importance to mobile application testing because of its expensive nature. But it is very much essential to ensure that the consumers have a great experience, every time they use the application.
The aim of mobile application testing should be to acquire knowledge about the quality of the service that you are offering. Does it work properly or not? Will it provide services as per the expectation of the customer? These questions need to be answered to ensure that the customer comes back to you, for your service again. Mobile testing is becoming more and more complicated and complex with each passing day. Strategies are invented and used to simplify the mobile application testing.
This presentation primarily addresses, the strategy to be adopted in mobile app testing, the types of mobile app testing and the stages to be followed, before the application is set live.
Traditional applications are tested through the GUI and through all exposed APIs. However, typical mobile app testing is only done through the front-end GUI. In addition, performance and security details are not readily available from the mobile device. Max Saperstone demonstrates some benefits of testing a native mobile application on a rooted device—one with privileged access control. Although Max does not describe how to root a device, he shares how to access back-end processes and test at this detailed level. He discusses the technical controls made available through a rooted device—together with its auditing, logging, and monitoring—and describes the gathering of additional metrics. Max demonstrates tools for penetration testing, sniffing, and network hacking; shares how to access application data directly; and shows how data security is implemented for the application. Learn how to use the admin rights associated with a rooted device to examine device performance and to simulate interrupts and system faults.
The burgeoning use of mobile devices has created enormous opportunities for organizations to leverage mobile to increase sales, advertise products, and collaborate with internal and external resources. However, with increasing usage, the need to perform testing on these devices is increasing significantly. This is not an easy task considering the number of devices, device operating systems, and operating system versions. To manage the number of variations, organizations rely on mobile testing tools to support their testing efforts. David Dang shares his experiences analyzing numerous mobile testing tool platforms for a prominent shopping network. Learn how identifying the "right" mobile testing tool depends on multiple factors such as supported devices, level of testing, resources, and required integration with other tools. Take back to share with your team a review of common tools on the market and the pros and cons of each.
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...Amazon Web Services Korea
스폰서 발표 세션 | 클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic
채현주 보안기술본부장, Openbase
클라우드 환경의 다양한 서비스로 인해 자산을 지키는 보안을 위한 작업은 더욱 복잡해지고 있다. 기존 온프라미스에서 해 오던 방식으로 클라우드 보안에 접근하는 것은 비용 및 자원활용 측면에서도 낭비이며, 기술의 발전 속도를 따라가기도 어렵다. 본 세션에서는 클라우드 환경의 보안 특성을 살펴보고 효율적인 보안시스템 구축을 위한 가이드를 제시하며, 아울러 전문적인 보안 지식이나 자체 구축 보안시스템 없이도 즉시 활용할 수 있는 Alert Logic의 보안 서비스를 소개한다.
This presentation talks about the focus towards building security in the software development life cycle and covers details related to Reconnaissance, Scanning and Attack based test design and execution approach.
Security automation can help IT teams limit cyberattack risks ... Automation tools can significant boost IT teams' efficiency and decrease risks.. Read this guide to know how automation can help in boosting your organisation security and increasing efficiency.
How Real Device Cloud Testing Ensures Exceptional Efficiency and Scalability ...kalichargn70th171
Real device cloud testing involves meticulously scrutinizing websites and
apps on a diverse array of real desktop and mobile devices, all seamlessly
hosted on cloud-based servers. This innovative approach grants Quality
Assurance (QA) teams unfettered access to thousands of devices, facilitating
manual and automated testing in real-time.
Similar to Better Security Testing: Using the Cloud and Continuous Delivery (20)
Do you ever feel you have lost confidence in your own abilities? Why does this happen? Isabel Evans spends a lot of time painting. Someone once commented, “Why are you doing this, when you are not very good at it?” And gradually she stopped drawing and painting, after being intimidated by a conventional vision of what good art should look like. At the same time, she experienced a parallel loss of confidence in her professional abilities. Attempting creative pursuits like drawing and painting is essential to cognitive, emotional, creative abilities and she began to understand the correlation between her creative activities and her confidence. Making errors, being wrong, failing – that is a generous gift we receive when we practice outside our skill level. By staying in a comfort zone and repeating successes, we stagnate. As Isabel started to create again she thought “I don’t feel good at it, I do feel good doing it” The difference was that she was learning, having ideas and the act of re-engaging with failure, together with the comradeship of friends and colleagues, including at Women Who Test, Isabel has regained her confidence in her professional abilities, and been able to reboot her career and joy. Join Isabel to share a journey from self-perceived failure, to recovery and renewed learning.
Instill a DevOps Testing Culture in Your Team and Organization TechWell
The DevOps movement is here. Companies across many industries are breaking down siloed IT departments and federating them into product development teams. Testing and its practices are at the heart of these changes. Traditionally, IT organizations have been staffed with mostly manual testers and a limited number of automation and performance engineers. To keep pace with development in the new “you build it, you own it” environment, testing teams and individuals must develop new technical skills and even embrace coding to stay relevant and add greater value to the business. DevOps really starts with testing. Join Adam Auerbach as he explains what DevOps is and how it relates to testing. He describes how testing must change from top to bottom and how to access your own environment to identify improvement opportunities. Adam dives into practices like service virtualization, test data management, and continuous testing so you can understand where you are now and identify steps needed to instill a DevOps testing culture in your team and organization.
Test Design for Fully Automated Build ArchitectureTechWell
Imagine this … As soon as any developed functionality is submitted into the code repository, it is automatically subjected to the appropriate battery of tests and then released straight into production. Setting up the pipeline capable of doing just that is becoming more and more common and something you need to know about. But most organizations hit the same stumbling block—just what IS the appropriate battery of tests? Automated build architectures don't always lend themselves well to the traditional stages of testing. In this hands-on tutorial, Melissa Benua introduces you to key test design principles—applicable to organizations both large and small—that allow you to take full advantage of the pipeline's capabilities without introducing unnecessary bottlenecks. Learn how to make highly reliable tests that run fast and preserve just enough information to let testers and developers determine exactly what went wrong and how to reproduce the error locally. Explore ways to reduce overlap while still maintaining adequate test coverage. Take back ideas about which test areas could benefit from being combined into a single suite and which areas could benefit most from being broken out altogether.
System-Level Test Automation: Ensuring a Good StartTechWell
Many organizations invest a lot of effort in test automation at the system level but then have serious problems later on. As a leader, how can you ensure that your new automation efforts will get off to a good start? What can you do to ensure that your automation work provides continuing value? This tutorial covers both “theory” and “practice”. Dot Graham explains the critical issues for getting a good start, and Chris Loder describes his experiences in getting good automation started at a number of companies. The tutorial covers the most important management issues you must address for test automation success, particularly when you are new to automation, and how to choose the best approaches for your organization—no matter which automation tools you use. Focusing on system level testing, Dot and Chris explain how automation affects staffing, who should be responsible for which automation tasks, how managers can best support automation efforts to promote success, what you can realistically expect in benefits and how to report them. They explain—for non-techies—the key technical issues that can make or break your automation effort. Come away with your own clarified automation objectives, and a draft test automation strategy to use to plan your own system-level test automation.
Build Your Mobile App Quality and Test StrategyTechWell
Let’s build a mobile app quality and testing strategy together. Whether you have a web, hybrid, or native app, building a quality and testing strategy means (1) knowing what data and tools you have available to make agile decisions, (2) understanding your customers and your competitors, and (3) testing your app under real-world conditions. Jason Arbon guides you through the latest techniques, data, and tools to ensure the awesomeness of your mobile app quality and testing strategy. Leave this interactive session with a strategy for your very own app—or one you pretend to own. The information Jason shares is based on data from Appdiff’s next-gen mobile app testing platform, lessons from Applause/uTest’s crowd, text mining hundreds of millions of app store reviews, and in-depth discussions with top mobile app development teams.
Testing Transformation: The Art and Science for SuccessTechWell
Technologies, testing processes, and the role of the tester have evolved significantly in the past few years with the advent of agile, DevOps, and other new technologies. It is critical that we testing professionals evaluate ourselves and continue to add tangible value to our organizations. In your work, are you focused on the trivial or on real game changers? Jennifer Bonine describes critical elements that help you artfully blend people, process, and technology to create a synergistic relationship that adds value. Jennifer shares ideas on mastering politics, maneuvering core vs. context, and innovating your technology strategies and processes. She explores how new processes can be introduced in an organization, what the role of organizational culture is in determining the success of a project, and how you can know what tools will add value vs. simply adding overhead and complexity. Jennifer reviews critically needed tester skills and discusses a continual learning model to evolve your skills and stay relevant. This discussion can lead you to technologies, processes, and skills you can stake your career on.
We’ve all been there. We work incredibly hard to develop a feature and design tests based on written requirements. We build a detailed test plan that aligns the tests with the software and the documented business needs. And when we put the tests to the software, it all falls apart because the requirements were changed without informing everyone. Mary Thorn says help is at hand. Enter behavior-driven development (BDD), and Cucumber and SpecFlow, tools for running automated acceptance tests and facilitating BDD. Mary explores the nuances of Cucumber and SpecFlow, and shows you how to implement BDD and agile acceptance testing. By fostering collaboration for implementing active requirements via a common language and format, Cucumber and SpecFlow bridge the communication gap between business stakeholders and implementation teams. In this workshop, practice writing feature files with the best practices Mary has discovered over numerous implementations. If you experience developers not coding to requirements, testers not getting requirements updates, or customers who feel out of the loop and don’t get what they ask for, Mary has answers for you.
Develop WebDriver Automated Tests—and Keep Your SanityTechWell
Many teams go crazy because of brittle, high-maintenance automated test suites. Jim Holmes helps you understand how to create a flexible, maintainable, high-value suite of functional tests using Selenium WebDriver. Learn the basics of what to test, what not to test, and how to avoid overlapping with other types of testing. Jim includes both philosophical concepts and hands-on coding. Testers who haven't written code should not be intimidated! We'll pair you up to make sure you're successful. Learn to create practical tests dealing with advanced situations such as input validation, AJAX delays, and working with file downloads. Additionally, discover when you need to work together with developers to create a system that's more easily testable. This tutorial focuses primarily on automating web tests, but many of the same concepts can be applied to other UI environments. Demos and labs will be in C# and Java using WebDriver. Leave this tutorial having learned how to write high-value WebDriver tests—and stay sane while doing so.
DevOps is a cultural shift aimed at streamlining intergroup communication and improving operational efficiency for development and operations groups. Over time, inclusion of other IT groups under the DevOps umbrella has become the norm for many organizations. But even broadening the boundaries of DevOps, the conversation has been largely devoid of the business units’ place at the table. A common mistake organizations make while going through the DevOps transformation is drawing a line at the IT boundary. If that occurs, a larger, more inclusive silo within the organization is created, operating in an informational vacuum and causing operational inefficiency and goal misalignment. Sharing his experiences working on both sides of the fence, Leon Fayer describes the importance of including business units in order to align technology decisions with business goals. Leon discusses inclusion of business units in existing agile processes, benefits of cross-departmental monitoring, and a business-first approach to technology decisions.
Eliminate Cloud Waste with a Holistic DevOps StrategyTechWell
Chris Parlette maintains that renting infrastructure on demand is the most disruptive trend in IT in decades. In 2016, enterprises spent $23B on public cloud IaaS services. By 2020, that figure is expected to reach $65B. The public cloud is now used like a utility, and like any utility, there is waste. Who's responsible for optimizing the infrastructure and reducing wasted expenses? It’s DevOps. The excess expense, known as cloud waste, comprises several interrelated problems: services running when they don't need to be, improperly sized infrastructure, orphaned resources, and shadow IT. There are a few core tenets of DevOps—holistic thinking, no silos, rapid useful feedback, and automation—that can be applied to reducing your cloud waste. Join Chris to learn why you should include continuous cost optimization in your DevOps processes. Automate cost control, reduce your cloud expenses, and make your life easier.
Transform Test Organizations for the New World of DevOpsTechWell
With the recent emergence of DevOps across the industry, testing organizations are being challenged to transform themselves significantly within a short period of time to stay meaningful within their organizations. It’s not easy to plan and approach these changes considering the way testing organizations have remained structured for ages. These challenges start from foundational organizational structures and can cut across leadership influence, competencies, tools strategy, infrastructure, and other dimensions. Sumit Kumar shares his experience assisting various organizations to overcome these challenges using an organized DevOps enablement framework. The framework includes radical restructuring, turning the tools strategy upside down, a multidimensional workforce enablement supported by infrastructure changes, redeveloped collaborations models, and more. From his real world experiences Sumit shares tips for approaching this journey and explains the roadmap for testing organizations to transform themselves to lead the quality in DevOps.
The Fourth Constraint in Project Delivery—LeadershipTechWell
All too often, the triple constraints—time, cost, and quality—are bandied about as if they are the be-all, end-all. While they are important, leadership—the fourth and larger underpinning constraint—influences the first three. Statistics on project success and failure abound, and these measurements are usually taken against the triple constraints. According to the Project Management Institute, only 53 percent of projects are completed within budget, and only 49 percent are completed on time. If so many projects overrun budget and are late, we can’t really say, “Good, fast, or cheap—pick two.” Rob Burkett talks about leadership at every level of a team. He shares his insights and stories gleaned from his years of IT and project management experience. Rob speaks to some of the glaring difficulties in the workplace in general and some specifically related to IT delivery and project management. Leave with a clearer understanding of how to communicate with teams and team members, and gain a better understanding of how you can be a leader—up and down your organization.
Resolve the Contradiction of Specialists within Agile TeamsTechWell
As teams grow, organizations often draw a distinction between feature teams, which deliver the visible business value to the user, and component teams, which manage shared work. Steve Berczuk says that this distinction can help organizations be more productive and scale effectively, but he recognizes that not all shared work fits into this model. Some work is best handled by “specialists,” that is people with unique skills. Although teams composed entirely of T-shaped people is ideal, certain skills are hard to come by and are used irregularly across an organization. Since these specialists often need to work closely with teams, rather than working from their own backlog, they don’t fit into the component team model. The use of shared resources presents challenges to the agile planning model. Steve Berczuk shares how teams such as those providing infrastructure services and specialists can fit into a feature+component team model, and how variations such as embedding specialists in a scrum team can both present process challenges and add significant value to both the team and the larger organization.
Pin the Tail on the Metric: A Field-Tested Agile GameTechWell
Metrics don’t have to be a necessary evil. If done right, metrics can help guide us to make better forward-looking decisions, rather than being used for simply managing or monitoring. They can help us identify trade-offs between options for what to do next versus punitive or worse, purely managerial measures. Steve Martin won’t be giving the Top Ten List of field-tested metrics you should use. Instead, in this interactive mini-workshop, he leads you through the critical thinking necessary for you to determine what is right for you to measure. First, Steve explores why you want to measure something—whether it’s for a team, a portfolio, or even an agile transformation. Next, he provides multiple real-life metrics examples to help drive home concepts behind characteristics of good and bad metrics. Finally, Steve shows how to run his field-tested agile game—Pin the Tail on the Metric. Take back this activity to help you guide metrics conversations at your organization.
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsTechWell
A hierarchy is an organizational network that has a top and a bottom, and where position is determined by rank, importance, and value. A holarchy is a network that has no top or bottom and where each person’s value derives from his ability, rather than position. As more companies seek the benefits of agile, leaders need to build and sustain delivery capability while scaling agile without introducing unnecessary process and overhead. The Agile Performance Holarchy (APH) is an empirical model for scaling and sustaining agility while continuing to deliver great products. Jeff Dalton designed the APH by drawing from lessons learned observing and assessing hundreds of agile companies and teams. The APH helps implement a holarchy—a system composed of interacting organizational units called holons—centered on a series of performance circles that embody the behaviors of high performing agile organizations. Jeff describes how APH provides guidelines in the areas of leadership, values, teaming, visioning, governing, building, supporting, and engaging within an all-agile organization. Join Jeff to see what the APH is all about and how you can use it in your team and organization.
A Business-First Approach to DevOps ImplementationTechWell
DevOps is a cultural shift aimed at streamlining intergroup communication and improving operational efficiency for development and operations groups. Over time, inclusion of other IT groups under the DevOps umbrella has become the norm for many organizations. But even broadening the boundaries of DevOps, the conversation has been largely devoid of the business units’ place at the table. A common mistake organizations make while going through the DevOps transformation is drawing a line at the IT boundary. If that occurs, a larger, more inclusive silo within the organization is created, operating in an informational vacuum and causing operational inefficiency and goal misalignment. Sharing his experiences working on both sides of the fence, Leon Fayer describes the importance of including business units in order to align technology decisions with business goals. Leon discusses inclusion of business units in existing agile processes, benefits of cross-departmental monitoring, and a business-first approach to technology decisions.
Databases in a Continuous Integration/Delivery ProcessTechWell
DevOps is transforming software development with many organizations adopting lean development practices, implementing continuous integration (CI), and performing regular continuous deployment (CD) to their production environments. However, the database is largely ignored and often seen as a bottleneck in the DevOps process. Steve Jones discusses the challenges of database development and why many developers find the database to be an impediment to the CD process. Steve shares the techniques you can use to fit a database into the DevOps process. Learn how to store database code in a version control system, and the differences between that and application code. Steve demonstrates a CI process with SQL code and uses automated testing frameworks to check the code. Steve then shows how automated releases with manual gates can reduce the stress and risk of database deployments while ensuring consistent, reliable, repeatable releases to QA, UAT, and production.
Mobile Testing: What—and What Not—to AutomateTechWell
Organizations are moving rapidly into mobile technology, which has significantly increased the demand for testing of mobile applications. David Dangs says testers naturally are turning to automation to help ease the workload, increase potential test coverage, and improve testing efficiency. But should you try to automate all things mobile? Unfortunately, the answer is not always clear. Mobile has its own set of complications, compounded by a wide variety of devices and OS platforms. Join David to learn what mobile testing activities are ripe for automation—and those items best left to manual efforts. He describes the various considerations for automating each type of mobile application: mobile web, native app, and hybrid applications. David also covers device-level testing, types of testing, available automation tools, and recommendations for automation effectiveness. Finally, based on his years of mobile testing experience, David provides some tips and tricks to approach mobile automation. Leave with a clear plan for automating your mobile applications.
Cultural Intelligence: A Key Skill for SuccessTechWell
Diversity is becoming the norm in everyday life. However, introducing global delivery models without a proper understanding of intercultural differences can lead to difficulty, frustration, and reduced productivity. Priyanka Sharma and Thena Barry say that in our diverse world, we need teams with people who can cross these boundaries, communicate effectively, and build the diverse networks necessary to avoid problems. We need to learn about cultural intelligence (CI) and cultural quotient (CQ). CI is the ability to relate and work effectively across cultures. CQ is the cognitive, motivational, and behavioral capacity to understand and respond to beliefs, values, attitudes, and behaviors of individuals and groups. Together, CI and CQ can help us build behavioral capacities that aid motivation, behavior, and productivity in teams as well as individuals. Priyanka and Thena show how to build a more culturally intelligent place with tools and techniques from Leading with Cultural Intelligence, as well as content from the Hofstede cultural model. In addition, they illustrate the model with real-life experiences and demonstrate how they adapted in similar circumstances.
Turn the Lights On: A Power Utility Company's Agile TransformationTechWell
Why would a century-old utility with no direct competitors take on the challenge of transforming its entire IT application organization to an agile methodology? In an increasingly interconnected world, the expectations of customers continue to evolve. From smart meters to smart phones, IoT is creating a crisis point for industries not accustomed to rapid change. Glen Morris explains that pizzas can be tracked by the minute and packages at every stop, and customers now expect this same customer service model should exist for all industries—including power. Glen examines how to create momentum and transform non-IT-focused industries to an agile model. If you are struggling with gaining traction in your pursuit of agile within your business, Glen gives you concrete, practical experiences to leverage in your pursuit. Finally, he communicates how to gain buy-in from business partners who have no idea or concern about agile or its methodologies. If your business partners look at you with amusement when you mention the need for a dedicated Product Owner, join Glen as he walks you through the approaches to overcoming agile skepticism.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
Better Security Testing: Using the Cloud and Continuous Delivery
1. T17
Security Testing
5/2/2013 1:30:00 PM
Better Security Testing: Using the
Cloud and Continuous Delivery
Presented by:
Gene Gotimer
Coveros, Inc.
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073
888-268-8770 ∙ 904-278-0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
2. Gene Gotimer
Gene Gotimer is a senior architect at Coveros, Inc., a consulting company that uses agile methods to
accelerate the delivery of secure, reliable software. Gene is an experienced software developer who
focuses on continuous integration, static code analysis, automation, and any tool he can find to do his
work for him. For the past few years, he has been on a team that is bringing a continuous delivery process
into the US Department of Defense, showing that higher quality software can be delivered quicker and
with more security by using agile techniques.
18. Better Security Testing Using the Cloud
and Continuous Delivery
Gene Gotimer
Coveros, Inc.
Security testing is often put off as one of the last tasks of the development cycle. So when the security
scans or reviews find vulnerabilities, businesses can be put in the position of remediating the security
issues appropriately and delaying a release or keeping a release on schedule and accepting the risks.
Those risks are not always clearly understood and almost never have a clear dollar figure associated with
them. Without really knowing what they are getting into, security remediation may be dropped and the
security testing treated as a checkbox that “we ran the security test tool” with no action being taken as a
result.
It is easy to see how security testing can become an afterthought or a second-class citizen during the
development process. It becomes a question of return on investment (ROI). To make a stronger case for
additional security testing we either have to increase the return or decrease the investment.
There is good news. Open-source and free security testing tools are growing in popularity and capability.
A development team can quickly (and, if needed, quietly) add security testing tools to their process,
without procuring an expensive security tool. That reduces the cost of the initial investment and may
eliminate some barriers to entry.
And it turns out that Cloud initiatives and efforts towards Continuous Delivery (CD) not only have some
great benefits of their own, but can also provide some opportunities to get security testing in place
without a large outlay of resources. For a team that is trying to increase their security testing as cheaply
as possible, there are plenty of chances to add it to their process almost for free.
Those will be the focus of my discussion: low effort opportunities to integrate security testing into the
development process, and the free and open-source tools that can make it practical.
While I will focus on free and open-source tools, commercial tools can be better and easier to use. A
more mature security testing practice may choose to use the commercial tool instead. Commercial tools
may already be available in your organization, which can ease adoption by being already paid for, by
being easier to use, by being more capable, and especially by having some people in your organization
that can help you use the tool and interpret the results.
Continuous Integration
Continuous integration (CI) is the practice of merging the work from multiple developers frequently,
often multiple times per day. It almost always involves frequent code commits to a source control
system and running unit tests on each and every commit. The primary benefit is that there is no long
1
19. cycle of integration at the end of the development cycle with developers scrambling to make all our
code work together. Plus, as the unit tests and the integration efforts find problems, we make
adjustments to our code while it is fresh in the developer’s minds. Developers get into a build-testcommit cycle which gives us rapid feedback and makes working, unit-tested code available to the rest of
the team on a continuous basis.
Continuous Delivery
Continuous delivery is a software development process that aims to have every build releasable to
production. It may not be released, but everyone involved will be able to make an informed business
decision to release that software without having to guess whether or not it will work.
Continuous delivery can be viewed as the logical extrapolation of continuous integration. After running
the normal unit tests on the code, we frequently deploy code and run other tests, such as functional
tests, load and performance tests, and even security tests. By extending the CI concept of build-testcommit to be build-test-commit-deploy-test-release, we can extend the rapid feedback cycle all the way
out to production releases, or at least to the point of releasable software. And instead of just having
unit-tested code available to the other developers, now we have production-ready code available to the
business.
Enabling continuous delivery means adding automation to deploys, so that deploys can happen without
a lot of effort. If it is expensive in terms of time and effort to deploy, it won’t be done often. And if it
isn’t automated, it won’t be repeatable and consistent. Not only do deploys to our test environments
become non-events, but we know when we push into production that the deploy process will work the
same way. After all, the deploy process has been tested just as often as the code has.
Cloud Computing
Cloud computing has brought a new economy to acquiring and provisioning computing resources. Along
with that, the cloud has brought a new wave of tools to make configuration management and software
deployment capable of exploiting that new found speed and low costs.
Because we are deploying on a rapid schedule, we can’t wait for the normal weeks-to-months long
procurement and installation cycles to get hardware ready for us to deploy to. With cloud computing,
the procurement cycle can be minutes long. And the investment per project is usually lower, too.
If we use a public cloud like Amazon, cloud services are always available for ordering. Virtually any
amount of computing power can be ordered whenever we need it. Private cloud computing resources
are often pooled, so when we are done using them the resources can be returned to the pool for other
teams to use.
Cloud computing has a symbiotic relationship with continuous delivery. Deploys are easy because they
are automated, so we have less of a barrier to standing up new environments. And establishing new
2
20. environments in the cloud is easy, so we can stand one up from scratch whenever it would be
convenient to have another instance of the application deployed.
Maturity Model for Security Testing
To grow a security testing practice, we need to first take stock of where we stand now. Then we need to
have some path to follow, milestones to shoot for, and some way to measure if we are making
improvements or not. One way to measure our current state and chart our growth is a maturity model.
We’ll start by setting the scale. The levels might be good for comparing the maturity of security testing
between two different projects, but they are really just intended as an example of milestones to aim for.
Each level represents an opportunity to introduce new security tests and security testing tools into the
process. The progression ranges from introducing security testing to an established practice and onto
advancing and refining your security testing capabilities.
•
•
•
•
•
•
Level 0: No Security Testing
Level 1: Unit Testing and Static Analysis
Level 2: Automated Deploys and Functional Testing
Level 3: Automated Configuration Management
Level 4: Cloud Deployments
Level 5: Continuous Delivery
These levels aren’t equally spaced in time or effort to achieve them. Going from nothing to unit tests
and static analysis is much easier than going from automated configuration management to cloud
deployments. In general, the more mature the practice, the more effort it will require to incorporate the
next practice. The early ones are the types of testing we can add almost for free, while the later
practices require a lot of discipline and a committed effort.
Largely for this reason, not every project will benefit from working towards the ultimate level. It might
be sufficient to unit test and do static analysis on an internal utility with a limited lifespan and no
sensitive data or access, while an online ordering system available to the public certainly needs more
security attention. What constitutes “enough” security testing has to be determined for each project.
Level 0: No Security Testing
The initial state is no security testing. We’ll score that as a zero. Unfortunately, far too many projects
start and end here. The good news is that if we start here, even the slightest bit of improvement is a
win.
Level 1: Unit Testing and Static Analysis
The next step, barely doing any security testing, is very easy to integrate into our development process:
simply add unit testing and static analysis. You might not normally file those under security tests, but
they are a good foot in the door and if you are doing CI you probably have these already.
3
21. Perhaps the biggest advantage of having good unit tests is the confidence that we can make changes to
an application safely, without making unintended changes to behavior. That decreases the risks involved
with any code changes, including security remediation, even late in the development cycle. This makes
unit testing a critical practice as the foundation for any development.
Through normal efforts in unit testing, most developers will start testing edge cases and failure cases.
For example,
•
•
•
•
What happens if we have no items in the list we are iterating through?
What happens when we expect 5 items but only get 4?
How do we handle a file not found when we try to read a configuration file?
What if the file is found but not in the correct format?
Poor handling of these types of errors can lead to some common type of security vulnerabilities: error
handling, general logic errors, bounds checking, etc. Unit testing is well-suited to identifying some of
these error types since the units are tested independently. Fewer assumptions about the input and
program state are made, so the units are able to better stand on their own. As a result, it can be easier
to test each unit more thoroughly for undesirable or unexpected conditions. Adding a code coverage
tool can help us identify edge conditions and testing opportunities that we missed initially.
Static analysis tools look at source code or compiled code, looking for common errors, unused variables,
style and formatting variations, and similar items. Like unit tests, static analysis tools can identify some
potential security problems:
•
•
•
•
Are inputs validated?
Are outputs escaped?
Is the source code hard to understand, and therefore easy for other developers to misuse?
Is there a lot of duplicated source code? If we fix a bug once will the same problem crop up
in other places?
Most modern languages have a selection of open-source static analysis tools that can scan source code
looking for predictable problems. SQL injection, Cross-Site Scripting (XSS), and hard-coded passwords
are common vulnerabilities that can often be detected by static code analysis.
With a CI practice, it is easy to configure unit testing and static code analysis to run on every commit or
at least every night. We can make it part of a project’s boilerplate build scripts and/or even enable it in
our CI engine with little more than the click of a configuration checkbox.
Just adding unit testing or static analysis isn’t a comprehensive security testing process, but it is easy to
get started and is far better than nothing. And we need to have these anyway.
Here are some suggestions for some free and/or open-source tools to get started:
4
22. •
•
Unit testing:
Static Analysis:
JUnit for Java, http://junit.org
NUnit for .Net, http://www.nunit.org
PyUnit for Python, http://pyunit.sourceforge.net
PHPUnit for PHP, http://www.phpunit.de
Sonar for many languages, http://www.sonarsource.org
PMD for Java, http://pmd.sourceforge.net
FindBugs for Java, http://findbugs.sourceforge.net
PHPMD for PHP, http://phpmd.org
FxCop for .Net, http://msdn.microsoft.com/en-us/library/bb429476.aspx
PyChecker for Python, http://pychecker.sourceforge.net
pylint for Python, http://www.pylint.org
Level 2: Automated Deploys and Functional Testing
Automated deploys are the first step most teams think of when they start working towards continuous
delivery. Automated deploys also open up some opportunities for more focused security testing.
The most obvious opportunity is just being able to scan the deployed application on a frequent basis. If
we can deploy automatically, then we can kick off security tests after we deploy and get a scan early in
the development cycle. We can investigate and remediate vulnerabilities we find before it is too late to
address them.
Even better, if we can trigger a deploy and scan using our CI engine, then developers can get same-day
or next-day feedback that shows that they may have introduced a security issue. They can fix problems
while the code is still fresh on their minds.
The easiest way to start scanning an automated deploy is with black-box tools that can just be pointed
at the deployed application and need little-to-no configuration initially. Some examples for web
applications include:
•
•
•
w3af, http://w3af.org
wapiti, http://wapiti.sourceforge.net
Skipfish, http://code.google.com/p/skipfish/
While these tools can (and should) eventually be tuned to better suit our application, even the most
basic scans can provide a wealth of information. Simple tuning can usually limit runtimes to be short
enough to fit the situation. For example, every hour we could run a quick, superficial scan that takes 10
minutes and then overnight we could run a more detailed scan.
Automated deployments also ease automated functional testing. In addition to the normal user
behavior tests, we can use functional tests to test access controls and data protection. User roles can be
very thoroughly tested using automated functional tests, especially when doing negative testing. For
5
23. example, a user should be able to see their account information, but not someone else’s. Users with one
role should be able to access certain functionality, but not other functionality.
The most popular open source functional test framework for web applications is Selenium
(http://seleniumhq.org), although there are plenty of good alternatives. There are also many good
options for applications that aren’t web-based or browser-based, such as web services.
Having those tests automated means they can be run frequently, and they become a great shield against
regression bugs and unintended data leakage. Like unit tests, the strongest advantage of automated
functional tests is that changes can be made to individual features without introducing unwanted
behavior changes. If we enable a role to view a new aggregate report, did those users also get the ability
to view someone else data? If we explicitly add the ability for a role to see another user’s data, are they
still prohibited from making changes to it?
If we combine the automated functional tests with security scanning we get some very good insight into
possible vulnerabilities. Running the functional tests through a proxy can uncover XSS and Cross-Site
Request Forgery (XSRF) issues that a typical web scanner could not reach without login credentials or
complex combinations of actions, for example. Proxies can also help find unintended external data
leakage, such as a finding that a third-party library uses a public web service to generate charts.
Collecting URLs from web access logs that were accessed during functional tests can be a great addition
to spidering targets for web application scanners.
Free web application proxies include:
•
•
•
OWASP Zed Attack Proxy (ZAP) Project,
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
OWASP WebScarab,
https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Ratproxy, http://code.google.com/p/ratproxy/
Level 3: Automated Configuration Management
Configuration management means different things to different people, but I am referring to being able
to determine and recreate the state of a computer system: OS, configuration files and settings, package
versions, dependency versions, etc.
Frameworks such as Puppet (https://puppetlabs.com/puppet/puppet-open-source/) and Chef
(http://www.opscode.com/chef/) are gaining a lot of traction for handling automated configuration
management functions. They allow package versions, file permissions and ownership, and network
services to be specified and controlled in code, rather than a list of manual steps a system administrator
must remember to follow upon installation.
Puppet and Chef can be used alongside tools such as Cobbler (http://cobbler.github.com/), Kickstart
(http://fedoraproject.org/wiki/Anaconda/Kickstart), or Windows Deployment Services
(http://msdn.microsoft.com/en-us/library/aa967394.aspx) to stand up a system from “bare metal”. Or
6
24. they can be used in conjunction with a “Gold Disk” or other standardized OS installs to completely
recreate a production-like environment and system laydown.
From a security point of view, the configuration management itself is the biggest draw. Being able to
review and specify a system configuration via code and knowing that it represents the actual system
state rather than the requested system state is invaluable during security audits. And the ability to
recreate an environment has tremendous forensic value when troubleshooting a security incident, not
to mention simply being able to reliably recreate production bugs in non-production environments.
Another advantage is that we can baseline (return to a known state) a complete system easily. That
means that we can run a security scan on a cleanly installed system, and the entire system can be
analyzed. Scanners like OpenVAS (http://www.openvas.org/), an open-source Nessus fork, Nmap
(http://nmap.org/), and Nikto2 (http://cirt.net/nikto2) can be used against a system to scan for
vulnerabilities via open ports and exposed services. We can schedule these tools to run regularly or
scripted to run from a CI engine. Rather than wait for a security expert to schedule a scan of our
application on a pre-production system just before release, we can scan the system every day so that we
know the results and can remediate issues during the development cycle.
Level 4: Cloud Deployment
Deploying our application in the cloud allows environments to be stood up without much time, effort, or
cost. Since we’ve already automated the deployment and the OS and system installation, now standing
up a new environment from nothing can be effortless, even without provisioned hardware.
That in turn means we can stand up an environment whenever we need it and only keep it operating
while it is in use. More projects can share fewer resources since they won’t all need the resources at the
same time. We can run long running scans, such as deep fuzzing scans, against a newly provisioned,
dedicated environment while other development efforts continue in other environments in parallel.
Also, we can execute resource intensive tests with adequate resources even if those resources cannot
be reserved indefinitely. Performance, load, and stress tests can be run on “production-sized” machines
rather than possibly undersized development systems. That can help better identify limits and reduce
the risks of denial of service attacks. Failover and high-availability systems often get tested once prior to
the initial production release, and then never tested again, only because it was too expensive to have an
entire extra set of redundant systems stood up in a test environment.
Some tests can benefit from the use of multiple client systems as well. Rather than running a many
hours of functional tests overnight and having a one-day lag between code commit and test results, we
can use cloud resources to stand up multiple client systems to run the functional tests in parallel. Not
only can we run the tests more often since they take less elapsed time, but we’ll be better able to
identify RACE conditions and multi-user interactions.
Open-source performance testing frameworks for web-based applications include:
7
25. •
•
•
•
Apache JMeter (http://jmeter.apache.org), which builds tests from a Java-based UI and can
test HTTP, HTTPS, SOAP, JDBC, LDAP, JMS, SMTP, POP, and IMAP, among other protocols
ab, ApacheBench (http://httpd.apache.org/docs/2.4/programs/ab.html), for command-line
driven performance tests
The Grinder (http://grinder.sourceforge.net), for load testing with tests written in Jython
and Clojure
Gatling (http://gatling-tool.org), for stress testing with tests written in Scala
Level 5: Continuous Delivery
Continuous delivery means being able to delivery software at any time. It takes releasing software from
what had been a lengthy and often risky development process to an automated process that ensure the
timing of a release is a purely business decision. It can range in practice from having a release always
ready to go should the stakeholder want to promote it to production, to continuous deployment where
the software is tested thoroughly enough that stakeholders are confident that it can be promoted
automatically, without any human decision points, whenever all automated testing reaches a “good
enough” threshold.
This stage requires a very high level of automation, so that we have enough confidence in all testing
(functional, regression, performance, and security testing) to allow unattended, automated releases.
Most software, and certainly most organizations, will never reach this level of trust in automated
testing, but it is a valuable goal.
Along with the automation itself, dashboards are important to display the results of all the various builds
and tests through the process. The more automation and testing that is involved, the more information
that has to be processed, and the more important dashboards become. The proliferation of
environments makes it critical for us to be able to quickly determine what the configuration of each
environment is, what packages are installed, what tests have been performed, and what the results of
those tests were.
Unfortunately, there aren’t any ready-to-use open-source dashboards for a continuous delivery process,
which makes sense since the process and tools can vary significantly from team to team and project to
project. We will have to develop these dashboards as they are needed.
Personal Experience
My current project is a large integration and customization project for the Department of Defense
(DoD). As part of our mission, our team was tasked to introduce an agile development process and
demonstrate how it could be used on a DoD project. That eventually became an effort to work towards
a Continuous Delivery process, and to show if and how it would work in the DoD environment.
We’ve made great progress. Over the last year we have added deploys that are almost entirely
automated using Puppet, although a few manual steps still remain. We have developed a suite of
functional tests to cover our entire system. The system is web based, and we have chosen Selenium for
8
26. our functional tests. We have just recently added JMeter testing to measure performance, really
focused on watching the trends as we make releases. I.e., have we made the system noticeably
faster/slower?
One item we had not addressed until well into the project was security testing. We had done it a few
times manually, but another part of the organization was responsible for the security scanning, so we
didn’t build it into our process. If that sounds like a weak justification, it is. We just kept making excuses,
such as:
•
•
•
•
•
The “official” tool is expensive.
It would take a lot of time to acquire and then to configure it.
We don’t have time.
It isn’t our responsibility.
The security team wouldn’t accept our scans anyway.
While there is a grain of truth to each of those, we finally gave it some serious thought and realized that
we already had the infrastructure and process to support some security testing, and could start doing a
lot more with very little effort.
We decided we would focus on open-source tools that paralleled what the security team would
eventually use. The more testing we did up front, the less likely we were to be surprised by findings at
the end of the cycle. Focusing on improving the security was more important for our development team
than worrying if we could satisfy compliance requirements by running particular tools. But since security
truly was the responsibility of another team, we did not have any significant time to implement our
testing.
We use w3af to do web application scanning. Our application relies on client-side certificates for login,
so we had to make some slight customizations to w3af to deal with passing a certificate in. Fortunately,
w3af is open source and written in Python, and it was easy to add the required support with just a few
lines of code. We can run w3af from our CI engine, Jenkins, but don’t often because we haven’t come up
with a convenient way to display the results. Since a manual inspection of the scan results is still
required we don’t execute the w3af scans continuously. We are working on better reporting so we can
quickly see what changes in the scans were made with the recent changes to the code.
We set up OpenVAS to do remote scans and vulnerability assessments. The scans run each weekend
against our test systems. Ten servers are scanned in parallel; the scans are completed in less than two
hours. We could scan more often, but the systems themselves don’t change open ports and installed
packages often enough to warrant it. If needed, we can start the scans on demand. OpenVAS maintains
a history of the scans and can track issues we’ve identified as false positives. It also shows changes and
overall trends in the number of vulnerabilities.
We added Openscap (http://www.open-scap.org) as part of our CI process. It runs a series of automated
checks against our systems to determine compliance with a set of security standards, which in our case
are mandated. Security Content Automation Protocol (SCAP) has a fair number of checks that must be
9
27. manually performed as well, but at least running the automated checks makes our compliance efforts
easier. Most importantly, we can see when a change to our system or to our application introduces or
fixes any security vulnerabilities.
Each of these security scans was initially implemented in a day or so, using down time in between other
assigned tasks. We added them to the process because they were open source, easy to introduce, and
did not slow down or complicate our existing process. Also, it was easy to interpret the results, so we
could act upon the results so that the scans had real value in our process. If you can’t understand the
findings, you can’t act on them.
On our scale of maturity, we’ve pushed through automated configuration management and are
beginning to do more cloud deployments, but our security testing is lagging a little behind that. We are
just starting to take advantage of the cloud for performance testing and slower running security scans.
On the other hand, we have a good selection of scans going on that help us ensure that our systems and
our application are more secure and more likely to meet compliance rules. Also, we find out quickly if
changes we make to the system configuration or to the application introduce any new security issues.
It seems like we’ve exhausted our “free” opportunities to increase the security testing. Most of what
we’ll add in the future will require some real focus and effort. But the groundwork we have laid is
already showing value, so garnering support for those larger efforts should be easier.
Conclusion
Doing security testing earlier in the development cycle means it is less likely to be dropped and more
likely we will remediate the problems that we find. By using open-source tools and identifying
opportunities to add security testing into our current processes, we can reduce the cost of adopting
security testing. Other, non-security testing can lay the foundation for security tests and safe
remediation. Gradually adding security testing, even little pieces of it, can quickly add value.
Whether you already have continuous delivery and cloud initiatives underway and are piggybacking on
them, or are using additional security testing potential as an argument to adopt them, the continuous
delivery process and cloud computing efforts give ample opportunities to add security testing without
much effort.
About the Author
Gene Gotimer is a senior architect at Coveros, Inc., a consulting company that uses agile methods to
accelerate the delivery of secure, reliable software. Gene is an experienced software developer who
focuses on continuous integration, static code analysis, automation, and any tool he can get to do his
work for him. For the last few years he has been on a team that is bringing a continuous delivery process
into the US Department of Defense, showing other projects that software can be delivered quicker with
more security and higher quality by using agile techniques.
10