PSQT
2007 North
Sept. 10-14, 2007
Minneapolis, MN

Chris Wysopal
Co-Founder and Chief Technology Officer, Veracode, Inc.
Presentation: Prioritizing Software Security Testing
Wednesday, September 12th, 8:15 a.m. - 9:15 a.m. (Opening Keynote)

Many people don't know where to start when it comes to testing software for security. It is important to use a risk-based approach and leverage the knowledge you have about the software in order to effectively test security. Security testing should determine if the software is correctly handling all disallowed input that could lead to vulnerabilities. Given the number of inputs to a typical program and the number of classes of security attacks that need to be prevented, the number of test cases quickly becomes exponential. To be successful at security testing you must prioritize.

Participants will learn:

This class will use white box and black box analysis techniques coupled with threat modeling to discover the highest risk threats to a program. Attendees will learn how to focus testing on areas where difficulty of attack is least and the impact is highest. Attendees should be familiar with software testing and common security vulnerabilities.

Outline:

  • Why have security testing in the software development lifecycle (SDLC)?
  • Software security flaws are part of the top 5 causes of data compromise
    • Storage of magnetic strip data
    • Missing or outdated security patches
    • Use of vendor supplied default settings and passwords
    • SQL Injection
    • Unnecessary and vulnerable services on servers
  • MITRE Common Vulnerability Enumeration graph on vulnerabilities reported by type and year
    • The graph shows the highest prevalence of vulnerabilities being XSS, which can be tested for.
    • XSS attacks are on the rise as well
  • The code security challenge
    • Today's application development is assembled from “mixed code” bases
      • Legacy code
      • Shared code
      • Offshore developed code
      • “COTS”/3 rd Party
      • Open Source
    • There is a lack of secure coding expertise in the industry today
    • Application development is often times distributed among several development teams
    • The hope lies in that we can test this code
  • Modify software testing to create software security testing
    • Create abuse cases, not just use cases
    • Organizations must perform prevention testing and be proactive with application security testing, not rely on functional testing
    • Modify automation and test harnesses to perform negative testing
    • Create security regression tests
  • Functional testing vs. prevention testing
  • The need to prioritize testing—this is the quandary of negative testing
    • Cannot look for all the “shouldn'ts” that might be there
    • Cannot try every input possibility for every input
    • Cannot create every possible state in the software
    • Cannot create every error condition
  • Therefore, you must focus testing on areas where the difficulty of attack is least and the impact is highest
  • How to perform risk-based prevention testing
    • Think like an attacker
    • Find the riskiest areas of the software code
    • Prioritize threats via threat modeling
    • Use attack patterns to test software
  • In order to meet goals, take a cue from CVSS
    • CVSS is the common vulnerability scoring system. It ranks a disclosed real world vulnerabilities severity. Real world vulnerabilities were empirically ranked by dozens of software security experts and their reasoning was decomposed into these top factors.
      • Find the highest risk code
      • Test for the highest severity vulnerabilities
  • Process for doing the testing
    • Information gathering
    • Whiteboard the major components of the system, external data flows and the data flows between them
      • Is there any input validation and what type, either white list or black list?
      • Is there any authentication/authorization or session management?
      • Is there any anti-denial of service protection such as throttling or resource protection?
    • Run-time inspection—what architects or design documents state isn't always a reality
      • Is there any input validation and what type, either white list or black list?
      • Is there any authentication/authorization or session management?
      • Is there any anti-denial of service protection such as throttling or resource protection?
    • Identify threat paths
      • Build data flow diagrams, keeping in mind access categories and their associated risk
    • Attack the highest risk threats

Biography:

Chris Wysopal, co-founder and CTO of Veracode, is a well known speaker and recognized expert in the software security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. Mr. Wysopal co-authored the password auditing tool L0phtCrack and was a researcher at the security think tank, L0pht Heavy Industries, which was acquired by @stake in 1999. He was VP of R&D at @stake and later director of development at Symantec, where he led a team developing binary static analysis technology. He was influential in the creation of responsible vulnerability disclosure guidelines and a founder of the Organization for Internet Safety. Mr. Wysopal wrote "The Art of Software Security Testing: Identifying Security Flaws", published by Addison Wesley and Symantec Press in December 2006. He earned his Bachelor of Science degree in Computer and Systems Engineering from Rensselaer Polytechnic Institute.

Frank Cohen
Managing Director, CEO and founder of PushToTest
Presentation: Testing In A Service-Oriented Architecture
Wednesday, September 12th, 5:00 p.m. - 6:00 p.m. (Closing Keynote)

Service Oriented Architecture (SOA) compounds the problems we testers normally have to deal with, including a lack of management commitment, poor testing tools, and minimal testing environments. With SOA we also need to work with powerful new processes, protocols, and tools that were mainly built for software developers, not testers. Even the software developers aren't sure of the best SOA architecture: application servers, enterprise service bus (ESB,) message queues, complex event processing (CEP) engines, and business process management (BPM.) In this PSQT keynote session Frank Cohen, will show his view of the reality of testing in a service architecture and the top 10 things you can do to make your situation better. Frank Cohen will show you a new methodology and techniques to test services and show you how to move from our antiquated tools to testing in a variety of scripting languages and code-less test scenario documents to build and operate tests.

Biography:

Frank Cohen is the leading authority for testing and optimizing software developed with Service Oriented Architecture (SOA) and Web Service designs. Frank is CEO and Founder of PushToTest and inventor of TestMaker, the open-source SOA governance and test automation tool, that helps software developers, testes and IT managers understand and optimize the scalability, performance, and reliability of their systems. Frank is author of several books on optimizing information systems ( Java Testing and Design from Prentice Hall in 2004 and FastSOA from Morgan Kaufmann in 2006.) He co-founded Inclusion.net (OTC: IINC), and TuneUp.com (now Symantec Web Services.) Contact Frank at fcohen@pushtotest.com and http://www.pushtotest.com.

Join our Mailing List to be reminded of future events






PSQT Conference.com is sponsored by Software Dimensions Consulting and Training, Inc.
Contact Us
© 2010 Software Dimensions