Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Security testing

423 Aufrufe

Veröffentlicht am

Software security testing

Veröffentlicht in: Technologie
  • For years, I was plagued by chronic yeast infections, including but not limited to: rashes, weight gain, insomnia, acne, constipation, chronic fatigue, depression, sensitivity to chemicals, you name it. After following your program, I had made a significant progress. My thrush, acne and rashes had vanished. My skin had almost completely cleared up. I hadn�t looked that good in 15 years. I felt rejuvenated, energized, happier and so much healthier... ➤➤ https://tinyurl.com/y4uu6uch
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Gehören Sie zu den Ersten, denen das gefällt!

Security testing

  1. 1. 4/16/2009 Maheshwar Kanitkar Security Testing 1Software security stateSoftware security engineeringDefining test strategyRegulatory complianceQ&A Security Testing 2 1
  2. 2. 4/16/2009Awareness What Why When WhoDefects are reported late in sdlcSecurity engineering model is not well integratedwith standard sdlc Security Testing 3Formal security requirements to be identifiedSecurity compliance needs to taken in account indesign phaseProcess to be integrated in sdlcTest strategy for security testingQuality Time to be allocated for building securesoftware at all levels: requirement, design, coding,testing.Engineering teams, qa teams needs training Security Testing 4 2
  3. 3. 4/16/2009High level Threat Model Define the application requirements: Identify business objectives Identify user roles that will interact with the application Identify the data the application will manipulate Identify the use cases for operating on that data that the application will facilitate Model the application architecture Model the components of the application Model the service roles that the components will act under Model any external dependencies Model the calls from roles, to components and eventually to the data store for each use case as identified above Identify any threats to the confidentiality, availability and integrity of the data and the application based on the data access control matrix that your application should be enforcing Assign risk values and determine the risk responses Determine the countermeasures to implement based on your chosen risk responses Continually update the threat model based on the emerging security landscape. One can build threat model using STRIDE, an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege Company policies / Security features documents Authentication Privacy policy Authorization Coding standards Administrative interfaces Patching policy User management Data classification policy Infosec policies Acceptable use policies Export control Results from previous security audits Security Testing 6 3
  4. 4. 4/16/2009 Scope of security testing Identify risks Prioritization on risks Regulatory Compliance Define threat model to be used (can be based on MS security threat model, OSSTMM) Training requirements Testing during Sustenance Available tools, solutions, cost, time Security Testing 7Tools Available HP Application security center Microsoft Visual studio team edition IBM Appscan Various small utilities. 4
  5. 5. 4/16/2009Application Security CenterA complete application lifecycle solution DevInspect’s hybrid analysis ensures code under development is secure QAInspect verifies the security of the entire application during QA WebInspect provides pre- and post- production application and environment security analysis Assessment Management Platform enforces security policies and manages activities across the lifecycle Security Testing 9 Regulatory compliance Industry regulations and SOX 404 standards HIPAA FFIEC PCI OWASP Top 10 / Guides GLBA SCADA Security CA SB1386 / State OASIS Notification Laws ISO 17799 BASEL II FISMA EU Data Protection Directive Security Testing 10 5
  6. 6. 4/16/2009Before we close Know the 5 Ws The bare minimum is knowing the who, what, where, when, and why for each feature Design & Validate Security into the Product Several legal requirements should be considered in testing, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Computer Fraud and Abuse Act (CFAA), and California (CA) SB1386. Never Run Tests as an Administrator/ Root Understand limitations of tools Keep updating methodology, tools Not all software security programs are identical, build a program to Security Testing meet your needs 11Credits http://en.wikipedia.org/wiki/Wiki http://www.isecom.org/osstmm/ http://www.hp.com http://www.ibm.com http://www.microsoft.com 6
  7. 7. 4/16/2009Security Testing 13 Thank You Maheshwar Kanitkar mrkanitkar@gmail.comSecurity Testing 14 7