Upload File

security as a part of quality assurance

24
Security A part of Quality Assurance

Upload: boy-baukema

Post on 07-Nov-2014

169 views

Category:

Technology


0 download

Report

Tags:

DESCRIPTION

 

TRANSCRIPT

Page 1: Security as a part of quality assurance

SecurityA part of Quality Assurance

Page 2: Security as a part of quality assurance

In custom software, if you haven’t properly tested it, it probably

doesn’t work.This goes for both functional and nonfunctional

requirements.!

Worse yet if you don’t even know what ‘it’ is supposed to be.

Page 3: Security as a part of quality assurance

Boy BaukemaSecurity Specialist @ Ibuildings.nl

Page 4: Security as a part of quality assurance

Security what?

Senior Engineer

+ interest in WebAppSec

+ 4 hours a week R&D

+ internal training & consultancy

+ internal & external auditing

Page 5: Security as a part of quality assurance

Wait, where?

Page 6: Security as a part of quality assurance

You

Page 7: Security as a part of quality assurance

The plan

1. The journey

2. The holy grail

3. Riding off into the sunset

Page 8: Security as a part of quality assurance
Page 9: Security as a part of quality assurance
Page 10: Security as a part of quality assurance

– My CTO

“Make security something I can sell, give managers a knob to turn.”

Page 11: Security as a part of quality assurance
Page 12: Security as a part of quality assurance

LEVEL 1 LEVEL 2 LEVEL 3

CHAPTER 1 1.1 1.2 1.3

!X!

!X!X

!XXX

CHAPTER 2 2.1 2.2 2.3

X X

XX X

!XX X

Page 13: Security as a part of quality assurance

ASVS (2013) Levels

Level 0 - Bullshit compliance level (0)

Level 1 - Opportunistic (47)

Level 2 - Standard (136)

Level 3 - Advanced (164)

Page 14: Security as a part of quality assurance

ASVS Chapters

V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection !

V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile

Page 15: Security as a part of quality assurance

V1.4. Verify that credentials and all other identity information handled by the application

does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3)

!

Page 16: Security as a part of quality assurance
Page 17: Security as a part of quality assurance

–OWASP ASVS 2009 Level 2

V2.7 Verify that the strength of any authentication credentials are sufficient to

withstand attacks that are typical of the threats in the deployed environment.

Page 18: Security as a part of quality assurance

AASVS 2009, Scanners & Report Generator

Page 19: Security as a part of quality assurance

–Sahba Kazerooni

“Done any day now!”

Page 20: Security as a part of quality assurance

–OWASP ASVS 2013 Beta, Application Security Verification Levels

“… scope of the verification may go beyond the application’s custom-built code and include

external components. Achieving a verification level under such scrutiny can be represented by annotating a “+” symbol to the verification

level”

Page 21: Security as a part of quality assurance

OWASP AASVS 2013

Page 22: Security as a part of quality assurance

Security Assurance Maturity Model

Page 23: Security as a part of quality assurance

Security TestingOne aspect of a Secure Development LifeCycle

Page 24: Security as a part of quality assurance

To be continued...


SPECIALISTS QUALITY ASSURANCE SPECIALISTS QUA ITY ASSURANCE ASSUR SPECIALISTS ASSURANCE LISTS QUALITY ASSURANCE QUALITY ASSURANCE SPECIALISTS ASSURANCE

How A Quality Assurance Company Can Use CyD NET Utils for Security Testing

The Importance of Quality Assurance Testing for the ... · The Importance of Quality Assurance Testing for the ... the software. The Open Web Application Security Project (OWASP)

Aggregate Quality Control/Quality Assurance Program · Aggregate Quality Control/Quality Assurance Program ... The Aggregate Quality Control/Quality Assurance Program is designed

Aggregate Quality Control/Quality Assurance Program · PDF fileAggregate Quality Control/Quality Assurance Program ... The Aggregate Quality Control/Quality Assurance Program is designed

Fuzzing for Software Security Testing and Quality Assurance

Software Security and Quality Assurance (SSQA) Framework ... · The Software Security and Quality Assurance (SSQA) Framework provides standards and guidance to support the achievement

Quality Assurance book - UPM EduTrain Interactive … in education2009.pdfQuality Assurance in Education 9 Quality Assurance in Education Introducing Quality Assurance “Quality assurance”

Quality Assurance/Quality Control and Quality Assurance Project Plans Greg Thoma University of Arkansas IPEC Quality Assurance Officer

Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System Cyber security

-Del Software Quality Assurance and Testing Centre- … · -Del Software Quality Assurance and Testing Centre- Tim Pusat Penjaminan Mutu dan Pengujian Perangkat Lunak ... (security),

Information Security & Quality Assurance - Matunda · Information Security & Quality Assurance Realities & Challenges Matunda Nyanchama, CISSP, PhD Delivery Leader, SI&P Services

Software Testing and Quality Assurance Software Quality Assurance

QUALITY ASSURANCE STANDARD FOR DIGITAL PRODUCT DEFINITION ... · Configuration Management and Media Security 8 3. Product Acceptance ... Quality Assurance Standard for Digital

Information Governance Assurance Framework€¦ · Information security assurance Information quality assurance Records Management Information Governance provides a consistent way

Quality Assurance Quality Control Procedures · QUALITY ASSURANCE / QUALITY CONTROL MANUAL Approving Authority: Quality Assurance Manager Procedures Effective Date Comments Audits

Dpc14 security as part of Quality Assurance

An Overview of Quality Assurance Processes & · PDF fileAn Overview of Quality Assurance Processes & Procedures ... Manufacturing Engineering Quality Assurance Team. Quality Assurance

Quality Assurance Framework · Quality Assurance Framework for Aviation Security Training Briefing – November 2018 . Welcome Aims for the day •Give you confidence in your ability

Software Security and Quality Assurance (SSQA ... - Q-CERT · Title: Software Security and Quality Assurance (SSQA) Gate 3 Guidance Version: 1.0 Classification: PUBLIC Pre-Gate Activities

QUALITY ASSURANCE PROGRAM PLAN - SCDHEC · 2020. 10. 15. · QA/QC Quality Assurance / Quality Control QAP Quality Assurance Plan QAPP Quality Assurance Program Plan QAM Quality Assurance

Web Portal- Quality Assurance, Security, RSS Feeds & Site Map

QUALITY ASSURANCE TRAINING. Quality Assurance Outline Introduction to Great call Quality Quality Assurance Guidelines Call Introduction Qualifiers Commitment

Software Security and Quality Assurance (SSQA) Gate 1 …compliance.qcert.org/sites/default/files/library/2019-02/MOTC-CDP-SSQA...Title: Software Security and Quality Assurance (SSQA)

Software Security and Quality Assurance (SSQA) Framework

Quality Assurance in Defense Adjudication: An Adjudicator ... · quality assurance program for personnel security adjudication. The Assistant Secretary of Defense for Command, Control,

The Web Quality Assurance Checklist...The domains covered are: performance, accessibility, security, data privacy, SEO, eco design, SEO, risk and other quality assurance aspects that

Software Quality Assurance · Quality Assurance From theory to implementation Software Quality Assurance Software Quality Assurance From theory to implementation DANIEL GALIN GALIN

Quality Assurance/Quality Control ProgramProgrammudloc.westernsite.com/docs/Quality Assurance - Quality Control...Quality Assurance/Quality Control ProgramProgram forfor Chevron Canada

Quality Assurance Quality Control Procedures Manual...QUALITY ASSURANCE / QUALITY CONTROL MANUAL Approving Authority: Meredith Rosenberg, Quality Assurance Manager Working version

Quality Control/Quality Assurance Quality Assurance……. ….encompasses both quality engineering and quality control Quality Assurance is……. …..the application

Fujitsu Quality Your Safety and Security · Flexible quality assurance in changing times IoT quality assurance initiatives How we ensure quality cloud services Conclusion Editing

Quality Assurance Project Quality Assurance Project Plan Plan · Quality Assurance Project Quality Assurance Project Plan Plan Confederated Salish & Kootenai Tribes Brownfield Project

Office of Health, Safety and Security Quality Assurance Initiatives

SOFTWARE QUALITY ASSURANCE SOFTWARE QUALITY ASSURANCE DEFINITIONS OF SQA SOFTWARE STANDARDS Process Quality Assurance Product Quality Assurance