SlideShare a Scribd company logo
PNSQC	Summer	Webinar	Series	
Requirements	Based	Web	Application	
Security	Testing	
Featuring	Guest	Speaker	Bhushan	Gupta	
@PNSQC	
#PNSQC17
PNSQC	–	The	organization	
•  The	oldest	so3ware	quality	conference	in	North	America	
now	in	its	35th	year.	
•  Annual	conference	held	in	Portland,	Oregon.	
•  Non-profit	organizaJon	run	by	volunteers.	
•  PNSQC	is	an	all	volunteer	conference	that	focuses	on	the	
quality	pracJJoner.		
•  Conference	speakers	and	parJcipants	are	people	
describing	their	own	experiences,	not	by	consultants.		
•  A	range	of	topics	and	speakers	-	everything	from	
automaJon	and	distributed	teams	to	agile,	devops	and	
security.	 2	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com
House	Rules	
§  ParJcipants	other	than	the	speakers	are	muted	
§  QuesJons	via	the	GoToWebinar	control	on	the	
right	side	of	your	screen	or	through	TwiVer	
@PNSQC	
§  QuesJons	may	be	asked	throughout	the	webinar	-	
we’ll	try	to	answer	them	at	the	end	
§  You	will	receive	info	on	recording	and	slides	a3er	
the	webinar	 3	
Webinar	Hashtag:	#securetest	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com
Moderating	Today	for	PNSQC	
Philip Lew
PNSQC Board Member
• CEO, XBOSoft
• Relevant specialties and passions
o Software quality process,
evaluation, measurement and
improvement
o Software quality in use / UX
design
o Mobile User Experience and
usability
o Cycling and travel
4	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com
5	
	
	
•  Over	20	years’	experience	in	SDLC,	so3ware	process	
•  Web	ApplicaJon	Security	Researcher	–	Best	PracJces	
and	Tools		
•  10	Years	in	Academia,	Faculty	Member,	OIT	(1985	–	95),	
Currently	an	Adjunct		
•  Leader,	OWASP,	Portland	Chapter	
•  AcJve	in	PNSQC	since	1998	
•  Frequent	Author	and	Speaker	
•  CerJfied	Six	Sigma	Black	Belt	(2007	–	2010)	
•  Dedicated	Toastmaster	
	
	
	
Principal,	Gupta	ConsulJng	
bhushan@bgupta.com	
	
Today’s	Webinar	
Requirements	Based	Web	Application	Security	Testing	
	
Bhushan	B.	Gupta	
PNSQC	2016	Invited	Speaker	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com
Achieving	High	Web	Application	Security	
6	
System	Elements	Relevant	to	Security	
•  ApplicaJon	Plagorm	–	OperaJng	System	
•  Development	Environment	–	Plagorm	(Java,	J2EE),	3rd	Party	
So3ware	including	Open	Source	
•  ApplicaJon	development	(SDLC)	–	From	Requirements	to	
Release	
•  Best	PracJces	–	ConfiguraJon,	Hardening,	Coding	Standards	
	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com
Current	Trend	–	Penetration	(Pen)	Testing		
7	
Ethical	Hacking	by	Red	Teams	
OWASP	Top	10	+	Other	VulnerabiliJes	
	
Check	the	Periphery	
	and	Secure	It	
•  Bad	guy	never	sleeps	
•  Limited	development	Jme			
•  More	and	cheaper	Hacking	
kits	in	the	market		
Challenges	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com
Alternative	-	Build	Security	In		
8	
•  Follow	SDLC	best	pracJces,	and			
•  Check	the	Periphery	and	Secure	It	
	
	
Security	is	an	AVribute	of	Quality!!		
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com
ConfidenJality,		Integrity,	Availability		
(CIA)Principles	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
9	
9/07/2017
Security	Triangle	
Security	
ConfidenJality	Integrity	
Availability	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
10	
9/07/2017
Data	Security	Principles	
•  ConfidenJality	–	Maintaining	data	privacy	(Access	Control)	
•  Intended	malicious	access	–	External	or	Internal	
•  Unintended	–	someone	made	a	mistake	
•  Integrity	–	Authorized	ModificaJon	of	data	and	system	
environment		
•  Availability	–	Usable	during	desired	hours	of	service	
	
	
Not	all	data	is	worth	protecJng!	
Protect	data	while	staJonary	and	in	moJon!	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
11
Web	Application	
Environment	
Client	browser	using	
client	side	resources	
Internet/Network	
Protocol		
Backend	System	
(Database	Server	
ApplicaJons	)	
Data	
HTTP	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
12	
9/07/2017	
WEB	Server	
The	Weakest	Link:		
Access	Control	
Data	in	transit
ConOidentiality	-	Access	
Control	
•  IdenJficaJon	–		
•  A	simple	string	of	characters	non-programmaJcally	generated	
(my	dogs	name)	
•  AuthenJcaJon	–	proof	of	legiJmacy	
•  Something	specific	you	know	(my	cat’s	birthday)	
•  Something	specific	you	have	(my	driver’s	license)	
•  A	physical	characterisJc	–	biometric	(my	finger	or	Irish	scan)	
•  AuthorizaJon		
•  Resources	you	are	allowed	to	access	(	can	not	drive	over	the	
speed	limit	like	a	police	officer	can)	
•  Audit	
•  Trail	of	acJviJes	by	an	enJty	for	future	reference	
13	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
9/07/2017
Requirements	-	ConOidentiality	
IdenJficaJon	
•  Each	user	have	a	unique	ID	that	is	extremely	difficult	to	guess	
•  ID	should	follow	a	standard	convenJon	if	needed	
•  A	user	ID	is	not	shared	with	the	other	users	
•  ID	value	is	not	reflecJve	of	posiJon	or	role		
•  CAPTCHA	(Completely	Automated	Public	Turing	test	to	tell	
Computers	and	Humans	Apart)	if	needed	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
14
Requirements	-	ConOidentiality	
AuthenJcaJon		
•  Character	string	
•  Complexity/crackability–		
•  Difficult	to	guess	(minimal	length,	required	character	categories,	prohibiJve	
elements	–last	name,	date	of	birth)	
•  Should	not	require	extra	efforts	to	remember	to	avoid	noJng		it	down	
•  Failure/Recovery	Process	
•  Number	of	aVempts	before	Time	Out	or	Locking	Out	
•  Use	of	security	quesJons	for	first	login	aVempt	from	a	new	device	
•  Recovery		Mechanism	–	controlled	such	as	email	mechanism	or	on	the	fly	
(change	it	while	on	the	site,	not	being	sent	in	an	email	or	only	as	a	temporary	
password)	
•  No	email	distribuJon	
	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
15
Requirements	-	ConOidentiality	
AuthenJcaJon		
•  Character	string	
•  Semi	logoff	or	session	ending	a3er	a	period	of	no	acJvity	
•  Longevity	–	password	rotaJon	
•  Transmission	over	network		
•  Transport	Layer	Security	(encrypted	vs.	plain	text)	
•  Social	Engineering	–	Shoulder	Surfing		
•  OpJon	to	hiding	password	as	being	typed	
•  Storage	–	Plain	text	vs.	Cryptographic	Hash	(a	funcJon	+	Salt)	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
16
Requirements	-	ConOidentiality	
AuthenJcaJon		
•  Biometric	-	Legally	allowed	human	characterisJcs	
•  Irish		
•  ReJna	
•  Finger	Prints	
•  Palm	Scan	
•  Hand	ConfiguraJon	
	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
17
Requirements	-	ConOidentiality	
AuthorizaJon	
•  Policy	to	control	access	to	objects	–	database	servers	
•  Processes	are	also	treated	as	subjects					
	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
18
Data	Integrity	
Integrity	–	Accuracy	and	validity		
Can	be	threatened	by	modificaJon	of	data	by	unauthorized	subjects	or	
by	error.	
Requirements:	
•  Integrity	maintained	while	data	is	at	rest	or	in	transit	
•  Role	based	access	control	
•  ValidaJon	of	data	both	at	applicaJon	and	database	level		
•  Any	malicious	aVempts	logged	with	adequate	tracking			
•  Recovery	mechanisms	are	in	place	in	the	event	the	data	integrity	has	
been	compromised	
•  SeparaJon	of	duJes	to	prevent	fraud	and	errors	–	any	funcJon	that	is	
subject	to	abuse	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
19	
9/07/2017
Availability	
Availability	–	Usable	during	desired	hours	of	service	
Requirements:	
•  Available	as	needed	(24x7x365	or	as	per	other	criteria)	
•  Redundancy	to	reinforce	availability	
Vulnerability		–	DDoS	aVack	(Distributed	Denial	of	Service)	
	
	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
20
Security	Controls	
Develop	security	controls	based	on	the	requirements	
Example	–	Data	Integrity	
	
21	
Requirement	 Control	
Maintained	during	data	transiJon	
and	at	rest	
Secure	Transmission	with	strong	
encrypJon	algorithm	
Role	based	access	control	 Access	validated	both	for	users	
and	processes	–	Delete	OperaJon	
Data	Accuracy	 Data	Validated	on	both	client	and	
server	side			
Malicious	Logging	AVempts	 Track	every	login	event	
Recovery	Mechanisms	 Backup	servers,	data	
SeparaJon	of	DuJes	 Controlled	access	rights	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com
Secure	Design	Principles	–	High	Level	
•  Defense	in	Depth	/	layered	defense	
•  If	one	layer	of	defense	is	compromised,	there	are	other	layers	to	stop	the	
complete	breach	
Example:	Command	Line	InjecJon	–	poked	through	the	system	and	can	see	directories	
but	you	are	not	able	to	change	your	access	level	
•  Fail	Safe	
•  Maintain	confidenJality,	integrity,	availability	by	returning	to	a	secure	state	using	
rapid	recovery	
•  Least	Privilege		
•  Lowest	access	level	privilege	to	person	or	process	
•  Weakest	Link	
•  ProtecJon	of	the	weakest	code	
•  Leveraging	ExisJng	Components	
•  Sharing	of	exisJng	components	does	not	increase	aVack	surface	or	vulnerabiliJes	
	
And	more	…………	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
22	
9/07/2017
Summary	of	Vulnerability	Analysis	
Vulnerability		 Root	Cause	 Remedia?on	
A1-InjecJon	 SQL	Query	ManipulaJon,	System	Call	
ExecuJon,	Lack	of	client	code	validaJon	
	
Do	not	trust	data,	Do	not	use	dynamic	
queries,	data	validaJon,	AuthorizaJon,	
client	side	code	validaJon	
A2-Broken	
AuthenJcaJon	
Unsecure	transport	layer,	password	
handling	and	management,	Session	ID	
management	
Sound	password	policies	and	session	
management	process,	patch	and	version	
management	
A3-XSS	 Lack	of	server	side	script	validaJon	 Escape	all	untrusted	HTML	and	Java	Script	
code	
	
A4-Insecure	DO	
References	
Object	exposure	to	unauthorized	clients	 AuthenJcate	before	providing	access		
A5-Security	
MisconfiguraJon	
Versioning,	system	hardening,	access	
control,	verbose	messaging	(error,	
Debug)	
Sound	patching	and	versioning,	well	defined	
development	pracJces		
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
23	
9/07/2017
Summary	of	Vulnerability	Analysis	
Vulnerability		 Root	Cause	 Remedia?on	
A6–SensiJve	Data	
Exposure	
Data	format,	encrypJon	key	
compromise,	unsecure	data	transport	
Sound	encrypJon	and	data	transport	
policies	
A7-Missing	FuncJonal	
Level	Control	
Access	control	to	sensiJve	request	
handlers	
Sound	access	control,	log	access	failure	
A8-CSRF	 Caused	due	by	session	cookie	stealing	 Turn	it	on	in	the	framework	
A9-Using		components	
with	known	
VulnerabiliJes	
ExploitaJon	of	vulnerable	framework	
components/libraries	from	3rd	party	
Monitor	security	of	components,	
establish	security	policies,	adding	
security	wrappers,	use	scanners	for	
version	numbers	and	updates	
A10-Unvalidated	
Redirects	and	Forwards	
AVacker	redirects	client	to	his	site	with	
the	home	page	look	and	steals	the	
login	informaJon	
Code	review	and	checklist	to	make	sure	
redirects	are	properly	handled	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
24	
9/07/2017
Building	a	Secure	System	Requires	
•  Smart	Development	Environment	
•  Access	Control	-	Objects	&	FuncJons	
•  Input	ValidaJon	
•  Secure	Data	Transport	–	hVps,	
EncrypJon	
•  Secure	Storage	-	EncrypJon	
•  System	Hardening	-	Sound	Patching	&	
Versioning	Processes	
	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
25	
9/07/2017
SDLC	Must	Include:		
•  Well	defined	threat	modeling	process		
•  Access	control	–	objects	(users,	so3ware	enJJes	),	FuncJons	
•  A	repeatable	process	to	measure	aVack	surface	index	(ASI)	
•  Strong	encrypJon	algorithm	
•  Server	side	environment	hardening	
•  Secure	data	transport	
•  Strong	applicaJon	architecture	to	support	component	
isolaJon		
•  Client	and	server	side	input	validaJon	
•  Use	of	tools	–	Scanners,	SQLmap	etc.	
	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
26	
9/07/2017
What	Should	be	My	TesJng	
Strategy??	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
27	
9/07/2017
Multi-prong	Approach	
Prongs:	
•  Fagen	Style	Reviews/InspecJons	-	Design	and	Raw	Code		
•  Compiled	Code	–	StaJc	Code	Analysis	
•  Environment	VerificaJon	(System	Hardening)	–	Human	
InteracJon	
•  Code	in	ExecuJon:	
•  Security	Focused	TradiJonal	QA	TesJng	–	Against	security	controls	
•  Web	Scanning	using	Scanners	(ZAP,	Burp	Suite)	
•  Dynamic	Code	Analysis	(Veracode,	ForJfy)	
•  PenetraJon	TesJng	
	
	
	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
28	
9/07/2017	
•  Smart	Development	Environment	
•  Access	Control	-	Objects	&	FuncJons	
•  Input	ValidaJon	
•  Secure	Data	Transport	–	hVps,	EncrypJon	
•  Secure	Storage	-	EncrypJon	
•  System	Hardening	-	Sound	Patching	&	Versioning	Processes
Fagen	Style	Reviews/Inspections		
Targets:		
•  Development	Environment	
•  Opsys	and	Language	shortcomings	–	Buffer	Overflow		
•  Process	and	User	Access	Rights,	(Admin	vs.	normal	user)	
•  Input	ValidaJon	–	both	on	client	and	server	side	
•  Coding	PracJces	-	Use	of	prepared	statements	vs.	dynamic	
queries	
•  RunJme	Environment	VerificaJon	–	System	Hardening	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
29	
9/07/2017
Fagen	Style	Reviews/Inspections		
LogisJcs:			
•  Team	of	Experts	
•  Make	the	docs	available	to	the	team	
•  Conduct	review	session	
•  Log	issues	
•  Follow	though	on	issue	resoluJon	
•  Analyze	impact	of	unresolved	issues	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
30	
9/07/2017
Fagen	Style	Reviews/Inspections		
Pigalls:	
•  Requires	broad	experJse	–		
•  OPSYS,	Language,	Coding	PracJces	
•  Time	consuming	if	an	applicaJon	is	complex	
Note:	Will	work	well	in	agile	development		
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
31	
9/07/2017
Static	Code	Analyzer	
Automated	Tool:		
•  Runs	on	compiled	code	with	Debug	on		
•  Analyzes	warning	relevant	to	security	problems	
•  Provides	a	log	of	potenJal	vulnerabiliJes	
•  Some	analyzer	gives	you	a	numeric	index		
Commercially	available	tools:	Veracode,	ForJfy	(HP)	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
32	
9/07/2017
Static	Code	Analyzer	
Shortcomings:				
•  False	PosiJves		
•  Requires	resources	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
33	
9/07/2017
Dynamic	Code	Analyzer	
Automated	Tool:			
•  Works	on	Binary	code	
•  Simulates	vulnerable	scenarios	
•  QuanJfies	app	vulnerability		
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
34	
9/07/2017
Environment	Hardening	
Reinforce	your	environment:				
•  ConfiguraJon	management	policy	
•  Versioning	–	apply	updates	immediately	
•  Change	Control		
•  Login	level	–	Admin	vs	user	
•  Principle	of	Least	privilege		
•  Change	Default	Sewngs	–	File	path,	access	rights,	password	
•  Disabling	unnecessary	features	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
35	
9/07/2017
Scanner	-	BeneOits		
•  Obtain	a	high	level	descripJon	of	exisJng	vulnerabiliJes	
•  IniJal	Assessment	of	a	web	site	
•  Complex	site	with	a	high	ASI	–	to	determine	high	risk	areas	
•  Test	planning	–	guidance	for	tesJng	focus	
•  Support	release	decision	to	assess	the	final	quality	
Should	not	be	the	only	way	to	test	the	applicaJon.		
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
36	
9/07/2017
Web	Scanners	–	ZAP/Burp	Suite		
CharacterisJcs			
•  IntercepJng	Proxy	Tools	
•  Can	be	used	as	standalone	or	as	a	daemon	process	
•  Inspects	the	packets	and	sends	it	to	the	browser	
•  Can	work	with	another	proxy	running	in	your	environment		
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
37	
9/07/2017	
ApplicaJon	Browser	 Tool	
ApplicaJon	Browser	 Tool	 Proxy
Scanners	–	Functions	
•  Web	Spidering	–	Crawls	page	and	forms		
•  Web	Scanning	–	executes	typical	vulnerability	aVacks	against	
a	web	site	
•  Brute	forcing	–	find	files	even	though	there	are	no	links	for	it	
•  Fuzzing	(fuzz	parameters)	
•  Auto	Tagging	
•  Port	Scanner	
•  Parameter	Analysis	–	all	the	parameters	that	applicaJon	uses	
•  Session	Comparison	for	mulJple	roles	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
38	
9/07/2017
Scanner		-	Strengths	&	Shortcomings	
Strengths:	
•  Simulate	malicious	user	quickly	and	are	fast	
•  Not	language	dependent	
•  Good	for	audits	for	iniJal	assessment	(internal)	
Shortcomings:	
•  Hard	to	find	the	logical	flaw	using	tools	
•  Only	perform	a	pre-defined	set	of	aVacks	
•  Can	not	test	for	social	engineering	
•  Do	not	cover	emerging	technologies	–	JSON	and	complex	workflow	
such	as	CSRF	and	shopping	cart	
•  Free	tools	do	not	get	updated	in	a	Jmely	manner	
	
	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
39	
9/07/2017
Attack	Surface	Analysis	
Compare	AVack	Surface	of	
the	Two	Castles	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
40	
9/07/2017
Attack	Surface	Analysis	–	Why?	
Goal	–	Reduce	the	probability	of	an	aVack	and	minimize	impact		
Development:	
•  Validate	design	against	aVack	vectors	
•  Validate	code	against	design	
•  ComparaJve	analysis	–	create	a	baseline	
Quality	
•  EsJmate	the	effort	involved	in	security	tesJng	
•  Select	adequate	tools	and	scripts	for	tesJng	
•  Perform	adequate	tesJng	
•  Prepare	quality	documents	to	the	downstream	stakeholders	
General		
•  Understand	overall	security	risk		
•  Prepare	for	unfortunate	circumstances	if	an	aVack	is	successful	
•  ComparaJve	security	analysis	of	a	product	from	two	different	vendors	
	
	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
41	
9/07/2017
Attack	Surface	of	a	System	
HTTP			
Protocol	 Browser	
ApplicaJon	
OS	
Web	Server	
ApplicaJons	
Backend		
Systems	
Targets		
Comm.		
Channels	+	
Protocols	
Access	Rights	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
42	
9/07/2017
Vector	 Measurement		
Degree	of	distribuJon	 Tool	-	hVps://pentest-tools.com/informaJon-
gathering/find-subdomains-of-domain	
Page	creaJon	method	
	(staJc	or	dynamic)	
Data	extracJon	and	display	(text,	image,	AV)	
Security	mechanism		 TLS	(HTTPS),	SSL,	HTTP	
Input		 The	type	of	inputs	you	can	include	in	the	URL	
AcJve	contents		 Contents	being	used	on	client	and	server	side		
Cookies	 Kept	by	the	applicaJon	and	Foreign	(hVp://
www.cookie-checker.com/)	
User	Roles	 Admin,	Group,	User	
Rights	 Read,	Write,	Execute	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
43	
9/07/2017	
Measurements
Calculating	AS	Index	–	Example		
ASI		=	SQRT	(square	of	each	AS	element	component)		
	
ddist	=	3.5	
dyn	=	1	
Security	=	<1,10,0>		
Input	Vectors	=	<	1,	1,	1,	1,	2,	8>	
AcJve	Content	=	<	1,	1,	1,	1,	2,	8>	
Cookies	=	3	
Access		Control		=		5	
Rights	=	5	
	
ASI	=	SQRT	(	12.25	+	1	+	1+100+0	+	1+1+1+1+4+64+	1+1+1+1++4+64	+	9	+25	+25)	
								=	19.2	
	
Minimum	=	0	
Maximum	=	Index	can	range	from	0	to	60.79	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
44	
9/07/2017
ASI	Characteristics	
•  Accounts	only	for	external	threats	
•  Gray	box	method	(observe	applicaJon	at	run	Jme)	
•  Vector	weights	are	chosen	according	to	relaJve	importance	of	
a	vector	
•  Can	be	effecJvely	used	by	developers	and	quality	assurance	
group	
•  Scalable	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
45	
9/07/2017
Vulnerability	Severity	-	DREAD	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
46	
9/07/2017
Quantifying	and	Comparing	
Risk	
Category		 Value	=	0	 Value	=	5	 Value	=	10	
Damage	Impact	(data)	 None	 Few	users	only	 EnJre	system		
Reproducibility	 Very	hard	 Few	steps	required	 Use	of	web	browser	
Exploitability	 Advanced	knowledge	 Use	of	kits	 Just	a	web	bowser	
Actual	Users	Impacted		 None	 Some	but	not	all	 All	users	
Discoverability	(applicaJon)	 Easy	–	apparent	
Public	Domain/Web	
browser		
Guessing	 Very	hard	(need	special	efforts)	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
47
Calculating	Severity	
	
		
DREAD	Index	=	(DAMAGE	+	REPRODUCIBILITY	+	EXPLOITABILITY	+	
AFFECTED	USERS	+	DISCOVERABILITY)	/	5	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
48
Data	Analysis	and	Reporting	Results	
Metrics	
•  Total	Number	of	VulnerabiliJes	found	
•  Baseline	–	against	a	test	method	and		version	
•  Threat	–	exposure	of	vulnerability	and	the	impact	
•  SDLC	Phase	–	security	defects	found	in	each	phase	–	tricky	in	
the	agile	development	
•  Risk	Containment	–	how	well	are	the	counter-measures	put	in	
place?	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
49	
9/07/2017
Test	Efforts	in	SDLC	-	Activities	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
50	
9/07/2017
SDLC	-	AGILE	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
51	
9/07/2017
Kickoff	Planning	
ObjecJves	–	Security	Infrastructure	Planning	and	IniJal	Setup		
EPICS:	
1.  Threat	Model	
2.  Access	Control	–	idenJficaJon,	authenJcaJon,	authorizaJon,	and	
audit	management		
3.  ASI	CharacterizaJon	–	vectors	and	scale	definiJon		
4.  Server	side	hardening	policy	
5.  Patch	and	version	update	policy	
6.  Design	and	code	review	management	
7.  Security	criteria	for	release	
8.  Breach	event	handling	/	management	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
52	
9/07/2017
Security	Activities	–	Generic	Iteration	
Analyze	if	any	new	vulnerabiliJes	added	due	to	new	stories	
Update	test	plan	
•  AddiJonal	review	areas	
•  New	configuraJons/Environmental	hardening	
•  StaJc	and	Dynamic	Code	Analysis	
•  New	scanning	requirements	
•  Change	in	ASI	Vectors	
•  Changes	to	penetraJon	test	scope	
	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
53	
9/07/2017
Security	Activities	–	Release	Iteration	
•  Final	ASI	analysis	
•  Regression	-	PenetraJon	TesJng	
•  Quality	Assessment	with	respect	to	security	
•  Open	Security	defect	analysis	
•  Probability	of	breech	
•  Breech	impact	–	financial,	legal,	company	image	
•  Proposed	threat	miJgaJon	plan	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
54	
9/07/2017
Security	Acceptance	Criteria	
1. All	PII	informaJon	presented	concisely	for	easy	review	
2. Only	business-necessary	informaJon	gathered	from	the	client	
3. Form	is	protected	from	any	injecJon	aVacks	
4. User	required	to	confirm	the	PII	on	submission	for	non-
repudiaJon		
5. ConfidenJality	of	the	data	is	maintained	during	transit	
6. Integrity	of	the	data	is	maintained	during	transit	
7. Data	stored	in	the	database	matches	exactly	with	what	was	
provided	by	the	user	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
55
Conclusions	
•  Understand	Reconnaissance	
•  Be	aware	of	how	common	vulnerabiliJes	are	explored	
•  Build	a	sound	threat	model	
•  Create	a	well	structured	SECURE	SDLC		
•  Be	aware	of	your	vulnerabiliJes	and	potenJal	breach	
•  Have	a	security	breach	conJngency	plan	(SIEM)	
9/07/2017	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
56
?????????	Q&A	
@Gupta	ConsulJng,	LLC.			
www.bgupta.com	
57	
9/07/2017
Join	Us	This	Fall	#PNSQC17	
	
Bhushan’s	Technical	Paper:	Requirements	Based	Web	Application	Security	
Testing	–	A	Preemptive	Approach!	
Workshops:	Pragmatic	Web	Application	Security	Testing	
																																	Essential	Web	Application	Security	Test	Tools	
	www.pnsqc.org	
Today’s	webinar	has	been	
recorded	and	will	be	available	
via	the	PNSQC	Youtube	
Channel	and	via	slideshare.	
@PNSQC	
#PNSQC17

More Related Content

Similar to Web Applications Security Testing Webinar with PNSQC

Trade Show Etiquette 101
Trade Show Etiquette 101Trade Show Etiquette 101
Trade Show Etiquette 101sparksight
 
Software Quality Management.pptx
Software Quality Management.pptxSoftware Quality Management.pptx
Software Quality Management.pptxAbhishek Prasoon
 
Learning’s in BLOOM – How On-Demand Video Learning’s Transforming Blue Cross ...
Learning’s in BLOOM – How On-Demand Video Learning’s Transforming Blue Cross ...Learning’s in BLOOM – How On-Demand Video Learning’s Transforming Blue Cross ...
Learning’s in BLOOM – How On-Demand Video Learning’s Transforming Blue Cross ...Human Capital Media
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Integrating Document Automation into your Firm's Workflows in 3 Easy Steps
Integrating Document Automation into your Firm's Workflows in 3 Easy StepsIntegrating Document Automation into your Firm's Workflows in 3 Easy Steps
Integrating Document Automation into your Firm's Workflows in 3 Easy StepsLawyaw | Clio
 
Hangouts on Air: How to Successfully Create More Video Content
Hangouts on Air: How to Successfully Create More Video ContentHangouts on Air: How to Successfully Create More Video Content
Hangouts on Air: How to Successfully Create More Video ContentGrant Tilus
 
How to Achieve and Maintain High Quality SaaS Software in the Cloud
How to Achieve and Maintain High Quality SaaS Software in the CloudHow to Achieve and Maintain High Quality SaaS Software in the Cloud
How to Achieve and Maintain High Quality SaaS Software in the CloudXBOSoft
 
Putting Yourself Where Your Users Are - How To Recruit for UX Research & Usab...
Putting Yourself Where Your Users Are - How To Recruit for UX Research & Usab...Putting Yourself Where Your Users Are - How To Recruit for UX Research & Usab...
Putting Yourself Where Your Users Are - How To Recruit for UX Research & Usab...UserZoom
 
Streamlining Automation Scripts and Test Data Management
Streamlining Automation Scripts and Test Data ManagementStreamlining Automation Scripts and Test Data Management
Streamlining Automation Scripts and Test Data ManagementQASymphony
 
Video Recommendation Engines as a Service
Video Recommendation Engines as a ServiceVideo Recommendation Engines as a Service
Video Recommendation Engines as a ServiceKamil Sindi
 
[Webinar] Getting started with server-side testing - presented by WiderFunnel...
[Webinar] Getting started with server-side testing - presented by WiderFunnel...[Webinar] Getting started with server-side testing - presented by WiderFunnel...
[Webinar] Getting started with server-side testing - presented by WiderFunnel...Chris Goward
 
4-PPT__Intro_to_SGBV_CP_pG_v4.pdf
4-PPT__Intro_to_SGBV_CP_pG_v4.pdf4-PPT__Intro_to_SGBV_CP_pG_v4.pdf
4-PPT__Intro_to_SGBV_CP_pG_v4.pdfomar ahmed hassen
 
Pork Industry Certifications Update
Pork Industry Certifications UpdatePork Industry Certifications Update
Pork Industry Certifications UpdateNational Pork Board
 
What Everyone on the Team Needs to Know about Test Automation
What Everyone on the Team Needs to Know about Test AutomationWhat Everyone on the Team Needs to Know about Test Automation
What Everyone on the Team Needs to Know about Test AutomationTechWell
 
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous DeliveryCode to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous DeliveryVMware Tanzu
 
Getting Started with Server-Side Testing
Getting Started with Server-Side TestingGetting Started with Server-Side Testing
Getting Started with Server-Side TestingOptimizely
 
Scrum Education.pptx
Scrum Education.pptxScrum Education.pptx
Scrum Education.pptxGanesh Kunwar
 

Similar to Web Applications Security Testing Webinar with PNSQC (20)

Demystifying agile 1 - slide share
Demystifying agile   1 - slide shareDemystifying agile   1 - slide share
Demystifying agile 1 - slide share
 
Trade Show Etiquette 101
Trade Show Etiquette 101Trade Show Etiquette 101
Trade Show Etiquette 101
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
 
Software Quality Management.pptx
Software Quality Management.pptxSoftware Quality Management.pptx
Software Quality Management.pptx
 
Learning’s in BLOOM – How On-Demand Video Learning’s Transforming Blue Cross ...
Learning’s in BLOOM – How On-Demand Video Learning’s Transforming Blue Cross ...Learning’s in BLOOM – How On-Demand Video Learning’s Transforming Blue Cross ...
Learning’s in BLOOM – How On-Demand Video Learning’s Transforming Blue Cross ...
 
Common Tools certificate
Common Tools certificateCommon Tools certificate
Common Tools certificate
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Integrating Document Automation into your Firm's Workflows in 3 Easy Steps
Integrating Document Automation into your Firm's Workflows in 3 Easy StepsIntegrating Document Automation into your Firm's Workflows in 3 Easy Steps
Integrating Document Automation into your Firm's Workflows in 3 Easy Steps
 
Hangouts on Air: How to Successfully Create More Video Content
Hangouts on Air: How to Successfully Create More Video ContentHangouts on Air: How to Successfully Create More Video Content
Hangouts on Air: How to Successfully Create More Video Content
 
How to Achieve and Maintain High Quality SaaS Software in the Cloud
How to Achieve and Maintain High Quality SaaS Software in the CloudHow to Achieve and Maintain High Quality SaaS Software in the Cloud
How to Achieve and Maintain High Quality SaaS Software in the Cloud
 
Putting Yourself Where Your Users Are - How To Recruit for UX Research & Usab...
Putting Yourself Where Your Users Are - How To Recruit for UX Research & Usab...Putting Yourself Where Your Users Are - How To Recruit for UX Research & Usab...
Putting Yourself Where Your Users Are - How To Recruit for UX Research & Usab...
 
Streamlining Automation Scripts and Test Data Management
Streamlining Automation Scripts and Test Data ManagementStreamlining Automation Scripts and Test Data Management
Streamlining Automation Scripts and Test Data Management
 
Video Recommendation Engines as a Service
Video Recommendation Engines as a ServiceVideo Recommendation Engines as a Service
Video Recommendation Engines as a Service
 
[Webinar] Getting started with server-side testing - presented by WiderFunnel...
[Webinar] Getting started with server-side testing - presented by WiderFunnel...[Webinar] Getting started with server-side testing - presented by WiderFunnel...
[Webinar] Getting started with server-side testing - presented by WiderFunnel...
 
4-PPT__Intro_to_SGBV_CP_pG_v4.pdf
4-PPT__Intro_to_SGBV_CP_pG_v4.pdf4-PPT__Intro_to_SGBV_CP_pG_v4.pdf
4-PPT__Intro_to_SGBV_CP_pG_v4.pdf
 
Pork Industry Certifications Update
Pork Industry Certifications UpdatePork Industry Certifications Update
Pork Industry Certifications Update
 
What Everyone on the Team Needs to Know about Test Automation
What Everyone on the Team Needs to Know about Test AutomationWhat Everyone on the Team Needs to Know about Test Automation
What Everyone on the Team Needs to Know about Test Automation
 
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous DeliveryCode to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
 
Getting Started with Server-Side Testing
Getting Started with Server-Side TestingGetting Started with Server-Side Testing
Getting Started with Server-Side Testing
 
Scrum Education.pptx
Scrum Education.pptxScrum Education.pptx
Scrum Education.pptx
 

More from Pacific Northwest Software Quality Conference (7)

Sue Loth: Job Search Strategies using personal connections
Sue Loth: Job Search Strategies using personal connectionsSue Loth: Job Search Strategies using personal connections
Sue Loth: Job Search Strategies using personal connections
 
Ron Wilson Five Tips for landing your dream job using LinkedIn and AI (ChatGPT)
Ron Wilson Five Tips for landing your dream job using LinkedIn and AI (ChatGPT)Ron Wilson Five Tips for landing your dream job using LinkedIn and AI (ChatGPT)
Ron Wilson Five Tips for landing your dream job using LinkedIn and AI (ChatGPT)
 
PNSQC 2024 Heather Wilcox Crafting Your Resume
PNSQC 2024 Heather Wilcox Crafting Your ResumePNSQC 2024 Heather Wilcox Crafting Your Resume
PNSQC 2024 Heather Wilcox Crafting Your Resume
 
PNSQC2023-November Annual Meeting.pdf
PNSQC2023-November Annual Meeting.pdfPNSQC2023-November Annual Meeting.pdf
PNSQC2023-November Annual Meeting.pdf
 
Quality & Risk Management Challenges When Acquiring Enterprise Systems
Quality & Risk Management Challenges When Acquiring Enterprise SystemsQuality & Risk Management Challenges When Acquiring Enterprise Systems
Quality & Risk Management Challenges When Acquiring Enterprise Systems
 
Update Your Retrospectives - PNSQC Webinar with Adam Light
Update Your Retrospectives - PNSQC Webinar with Adam LightUpdate Your Retrospectives - PNSQC Webinar with Adam Light
Update Your Retrospectives - PNSQC Webinar with Adam Light
 
You Don't Need No Stinkin' Test Cases - PNSQC Webinar with Robin Goldsmith
You Don't Need No Stinkin' Test Cases - PNSQC Webinar with Robin GoldsmithYou Don't Need No Stinkin' Test Cases - PNSQC Webinar with Robin Goldsmith
You Don't Need No Stinkin' Test Cases - PNSQC Webinar with Robin Goldsmith
 

Recently uploaded

Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAlluxio, Inc.
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfMeon Technology
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareinfo611746
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Gáspár Nagy
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabbereGrabber
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 

Recently uploaded (20)

Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 

Web Applications Security Testing Webinar with PNSQC