Upload File

security testing activities in the development lifecycle

  • Home
  • Technology
  • Security Testing Activities in the Development Lifecycle
14
Security Activities in the Lifecycle Shawn Gorrell, Lead Architect , FRB Atlanta

Upload: shawn-gorrell

Post on 18-Jul-2015

124 views

Category:

Technology


3 download

Report

TRANSCRIPT

Page 1: Security Testing Activities in the Development Lifecycle

Security Activities in the LifecycleShawn Gorrell,

Lead Architect , FRB Atlanta

Page 2: Security Testing Activities in the Development Lifecycle

Outline

Code Reviews

Strengths/Weaknesses of Code Reviews

Penetration Testing

Strengths/Weaknesses of Penetration Testing

Static Code Analysis

Strengths/Weaknesses of SCA

Fortify SCA Walkthrough

Scan/Triage process

Q&A

Page 3: Security Testing Activities in the Development Lifecycle

Code Reviews Source code inspections based on defined security/quality/standards

checklists

Can be formal or informal

Page 4: Security Testing Activities in the Development Lifecycle

Strengths of Code Reviews

Standards enforcement mechanism (verify controls)

Learning/training opportunity

Easier to find all the content (dynamic tools can miss things)

Page 5: Security Testing Activities in the Development Lifecycle

Weaknesses of Code Reviews

Time/resource intensive

Requires specialized expertise (application, language/platform, security)

Human fallibility

Does not always “prove” the vulnerability

Page 6: Security Testing Activities in the Development Lifecycle

Penetration Testing

Simulated attack on application or network

Pentests are typically “black box” (no access to code)

Combination of dynamic tools and human testing (tools help find soft spots)

Page 7: Security Testing Activities in the Development Lifecycle

Strengths of Penetration Testing

Combination of tools and humans find things that a single method won’t find

Requires less specialized expertise

Proves vulnerabilities

Page 8: Security Testing Activities in the Development Lifecycle

Weaknesses of Penetration Testing

Time/resource intensive

Pentest teams tend to be busy, so you need to plan things well in advance

Different combinations of tools and people can get different results on same application

Page 9: Security Testing Activities in the Development Lifecycle

Static Code Analysis (SCA)

Automated white-box testing tool that analyzes source/object code without execution

Though code does not execute, it SCA does data flow analysis (source/sink)

Identifies code errors, complexity metrics and security issues

Can be integrated into build/deploy processes (continuous integration)

Page 10: Security Testing Activities in the Development Lifecycle

Strengths of Static Code Analysis

Scales better than humans do, can cover more code in less time

Tends to find some of the worst vulnerabilities with high confidence (SQL Injection, buffer overflows, file upload vulnerabilities)

Finds issue in code at the exact location (line number)

Tools include mitigation recommendations and are easy to rescan to verify fix

Finds vulnerabilities earlier in the lifecycle

Page 11: Security Testing Activities in the Development Lifecycle

Weaknesses of Static Code Analysis

Requires well trained security analyst to do good triage, can’t just run it and throw a report over the wall

Not all languages are supported (though the most common are)

False positives and negatives

False sense of security (cannot be the only thing you do)

Doesn’t find issues in a runtime environment (configuration issues, code/assets that aren’t scanned)

Tools are often costly (Fortify is)

Page 12: Security Testing Activities in the Development Lifecycle

Fortify SCA Walkthrough

Audit Workbench

Command line scanning

Triage

Fortify 360

Reports

Page 13: Security Testing Activities in the Development Lifecycle

Scan/Triage Process

Dev team requests scan and provides code location

Security analyst does scan and initial triage

Security analyst meets with dev team to finalize triage and create remediation plan

Dev team remediates issues

Security analyst verifies remediation

Wash-rinse-repeat

Page 14: Security Testing Activities in the Development Lifecycle

Q&A Questions?


Chapter2: Testing throughout Lifecycle2.1 OVERVIEW This module covers all of the different testing activities that take place throughout the project lifecycle. We introduce various

Testing in the Lifecycle 1 Principles2 Lifecycle 4 Dynamic test techniques 3 Static testing 5 Management6 Tools Software Testing ISTQB / ISEB Foundation

Security Testing: Terminology, Concepts, Lifecycle

Testing in the software lifecycle

How to do Testing in the software lifecycle

V&V Lifecycle Methodologies · What do Lifecycle Methodologies Do? ... Test Component Test Defects V&V Methodology Lifecycle Cost Testing Methodology Cost (10X) 20 …

Qualità del Software - Assioma.netSoftware Lifecycle Testing Performance Testing Structural Testing La crescente centralità delle applicazioni web nella strategia delle aziende,

Lifecycle Management (LCM) FrameworkLCM)_Framew… · Lifecycle Management (LCM) Framework . Table of Contents ... building, testing, implementing, establishing operations and disposing

Dynamic Testing Throughout the ABAP Development Lifecycle

Performance Lifecycle Maintenance - Neelands Group · Performance Lifecycle Maintenance Maintenance activities that deliver measurable operational and financial performance to our

Testing , why it should be fully integrated in the application lifecycle ?

The Benefits and Practice of Early Lifecycle Performance Testing

Activitiesjwilkerson/cs240/... · The Activity Lifecycle •Activities have a lifecycle, controlled by the Android system •Things that cause lifecycle/activity state changes: –Creation

Semiconductor lifecycle testing, technology migration

Federal Information Processing Standards …2. LIFECYCLE VALIDATION, VERIFICATION, AND TESTING VV&T is a process of review, analysis, and testing employed throughout the software lifecycle

Component-based Development Process and Component Lifecycle · 2016. 1. 25. · Component-based Development Process and Component Lifecycle Lifecycle processes: All activities of

Chapter 7: Testing Activities, Management, and Automation Major Testing Activities Test Management Testing Automation

Software Testing Lifecycle Practice

The role of physical testing in the CAV engineering lifecycle

Project Approval Lifecycle Training - CDT · Project Approval Lifecycle Training ... Testing Architecture ... Kick-Off Meeting • Proposal Evaluation Activities – Guided

Determine Phase Appropriate Activities A Lifecycle ... session 4.pdfDetermine Phase Appropriate Activities —A Lifecycle Approach for Analytical Procedures and Methods Validation

Testing in the lifecycle

Concepts | Explore the Software Testing Lifecycledownloads.projectinsight.net/...iv-explore-software-testing-lifecycle... · management, software development, software testing) methodologies

Performance Testing in the Agile Lifecycle

Covid-19 Testing and Testing Related Activities with CDC

Testing Activities The commercial and investigatory tests ...Testing Activities Testing Activities The commercial and investigatory tests can be carried out as power national and international

Web Design Lifecycle Usability – Accessibility – Testing – Implementation and Marketing

Explore the Software Testing Lifecycle - Project Insightdownloads.projectinsight.net/training/it... · Explore the Software Testing Lifecycle Concept IV - Goals Familiarize previous

Cloud Lifecycle WG VAP development activities · Cloud Lifecycle WG VAP development activities Mike Jensen (BNL) Scott Collis (ANL) Shaocheng Xie (LLNL) Michael Jensen Lead, CLWG

Testing Mobile Applications - lateralsecurity.com · testing, security controls, policy and compliance) – Lifecycle auditing (design, pre prod, post prod) – Regular ongoing testing

Automated Testing Lifecycle Methodology

Acceptance Testing. V Lifecycle Model Waterfall Model

Software Lifecycle Activities to Improve Security Into - ThinkMind

Testing Throughout the Software Lifecycle - Chap 2

Testing Across the Lifecycle