lightning talks presented at better software 2005 by matt heusser … and the gang...
TRANSCRIPT
![Page 3: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/3.jpg)
![Page 4: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/4.jpg)
Ryan EnglishSPI Dynamics
The Road to Secure Software Nirvana:Web Application Security in Quality Assurance
![Page 5: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/5.jpg)
Web Applications Breach the Perimeter
Corporate I nside
Trusted Inside
DMZInternet
IISSunOneApache
ASP.NETJ2EE
MS-SQLORACLE
DB2
Firewall allows applications on the web server to talk to application server.
Firewall allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.
Any – Web Server: 80
Firewall allows application server to talk to database server.
HTTP/HTTPS
![Page 6: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/6.jpg)
Examples of Application Security Vulnerabilities
Platform
Administration
Application
Web application vulnerabilities occur in multiple areas.
Known Vulnerabilities
Platform
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Administration
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
Application
![Page 7: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/7.jpg)
Why should QA be concerned about Application Security?
Design
1 X
Development
Static Analysis
6.5X
Testing
Integration Testing
System/Acceptance Testing
15X
Deployment
Customers In the Field
100XThis is the cost to fix a security defect.
What would the cost be if you were actually hacked?
![Page 9: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/9.jpg)
![Page 11: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/11.jpg)
![Page 13: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/13.jpg)
QE Industry Round Table
• Why– To learn from other organizations and share best
practices• What
– Discuss a topic of mutual interest (e.g. Performance, Internationalization, RCAs, Metrics)
– 2-3 short presentations followed by group discussion• Who
– QE managers from local companies• When
– Once per quarter, for an afternoon
Melissa W. FrailThe MathWorks, IncBetter Software 2005
![Page 14: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/14.jpg)
Getting Started
• Identify Participants– Invite contacts at other companies– Network within your company – Talk to new hires about their previous companies
• Ground Rules– No NDAs – share what you are comfortable sharing– No recruiting
Melissa W. FrailThe MathWorks, IncBetter Software 2005
![Page 15: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/15.jpg)
Matthew HeusserSecrets of the Baby [email protected]
![Page 16: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/16.jpg)
![Page 17: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/17.jpg)
![Page 19: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/19.jpg)
![Page 21: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/21.jpg)
The Word Test
• “When was the first time you heard the word test?”
• “Where were you when you first heard the word test”?
• “How did the word test make you feel”?
![Page 22: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/22.jpg)
Usual Answer
• “It was my third grade teacher at school, and I felt nervous and afraid.”
• Less Frequent - “It was my third grade teacher, and I was happy and excited to show how smart I was.”
![Page 23: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/23.jpg)
Openness to Testing
• “I’m sure there is nothing wrong with the software, so go ahead and test it, better you find defects than our customers.”
![Page 24: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/24.jpg)
More Common
• “There is no need to test my software because there is nothing wrong with it.”
• “You are not qualified to test my software because you don’t know as much as I do about it.”
• “If any Test Engineers come into our office again to test our software we will throw them through the third floor window.”
![Page 25: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/25.jpg)
Don’t Call It Testing Table
A B C 1. Rapid 1. Quality 1. Assurance 2. Unified 2. Verification (and) 2. Validation 3. Agile 3. Experimental 3. Trails 4. Meta 4. Examination 4. Study 5. Flexible 5. Observational 5. Demonstration 6. Tailored 6. Conceptual 6. Prediction 7. Scalable 7. Acceptance 7. Proof 8. Integrated 8. Criterion 8. Scoring 9. Independent 9. Requirement 10. Observed 10. Satisfaction 11. Customer Based 12. <none>
![Page 26: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/26.jpg)
Don’t Call It a Bug Table
A B 1. Potential 1. Anomaly 2. Suspect 2. Correctness 3. Tentative 3. Believability 4. Pseudo 4. Certainty 5. Unresolved 5. Convergence 6. Unstable 6. Correlation 7. Irregular 7. Correctitude 8. Arbitrary 8. Correspondence 9. Random 9. Censure 10. Fuzzy 10. Result 11. Biased 11. Presentation
![Page 27: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/27.jpg)
Bug Free Software?
• “The software was so good that the developers felt it to be without bugs and not necessary to test. We did, however, perform some Rapid Requirement Proofs and found a number of cases of Irregular Convergence and Biased Believability. These findings were handled by the developers as trivial enhancements, which have now been fully implemented, and we are ready to ship after performing the mandatory Independent Observational Scoring.”
![Page 28: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/28.jpg)
![Page 30: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/30.jpg)
![Page 32: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/32.jpg)
Facts & Assumptions
Facts are known - How many widgets did we sell last year?
Assumptions are placeholders for facts - How many widgets will we sell next year?
![Page 33: Lightning Talks Presented at Better Software 2005 By Matt Heusser … and the gang Matt.heusser@gmail.com](https://reader036.vdocuments.mx/reader036/viewer/2022062309/56649e9e5503460f94ba08c3/html5/thumbnails/33.jpg)
Thanks for coming!
Lightning talks will be at STARWest and other upcoming conferences!
Call for presentations - http://www.sqe.com/lightningtalks.asp
and http://www.xndev.com/Speaking.htm