Threat modeling is about understanding who is going to attack your system, why they are going to attack it, what they are going to target and how they are going to attack it.SQL injection is a classic attack surface. Although we have known about it for 30+ years it is still a vulnerability that gets exploited on a regular basis.
Pen Testing is different from Security Testing in that Pen Testers will use all means to compromise the system including social engineering, zero day flaws, security analysis, code analysis, you name it. Security Testing is more about know vulnerability playback.Both are valuable and have their place. Neither is a substituent for the other.Pen testing is a specialized skill set, it is often necessary to get external pen test professionals
Example: User shall not be allowed unlimited login attempts. Potential attackers use unlimited login attempts to use dictionary password attack methodsExample: Use shall not be given details regarding authentication failure.Potential attackers can use authentication failure details to figure out if they have legitimate user names
Fail safe, it can mean different things based on your application and functionality. Don’t create your own encryption or random number generation, use open standards that have been vetted by industry recognized experts.Use tools to scan you source code for known dangerous code constructs, system and library functions. Replace dangerous code right away.
Fail safe, it can mean different things based on your application and functionality. Don’t create your own encryption or random number generation, use open standards that have been vetted by industry recognized experts.Use tools to scan you source code for known dangerous code constructs, system and library functions. Replace dangerous code right away.
Use automated secure code review tools to find specific well known problem patterns and to highlight areas where manual reviews should be conducted. Bugs tend to cluster so sections of the code where a number of secure issues are present is a good candidate for a manual code review.
All applications are now networked applications and all need application security requirements.