Software Security for QA Professionals
This half-day tutorial will introduce the basics of application security testing to testing and quality assurance professionals. It covers the following areas:
- information security fundamentals,
- secure software development lifecycle (SSDLC),
- security as an issue of software quality,
- application security testing methodology,
- application security testing techniques such as fuzzing, fingerprinting, spoofing, spidering, googling, proxying, etc.,
- common security testing scenarios such as XSS, SQL injection, CSRF, session hijacking, etc.,
- common security testing tools,
- classification of security defects, and
- writing of security test reports.
In a non-technical and easy-to-understand approach that requires only some previous web / mobile application testing or development experience, The tutorial will give the attendees
- the knowledge needed to plan and manage application security testing projects;
- the processes and methodologies for secure software development lifecycle;
- the techniques and tools for executing manual application security testing.
Browse the following blog posts:
Confidentiality, Integrity, and Availability
The CIA triad - Confidentiality, integrity, and availability - are the 3 key security objectives of any information system. Confidentiality Confidentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of confidentiality. A loss of confidentiality is the unauthorized disclosure of information. Examples of information that could be considered confidential are health records, financial account information, criminal records, source code, trade secrets, and military tactical plans. Security controls that can provide confidentiality protection are encryption, logical and ... More...
Authentication, Authorization & Auditing
Authentication, authorization and auditing are 3 basic types of security controls to ensure information confidentiality, integrity, and availability. Authentication Authentication is the act of establishing or confirming someone or something as authentic, ie, confirming that the identity claims made by a person or a process are true. Examples of an information system performing authentication: a user logs into her Windows-based laptop, a customer service representative logs into the order management system, an employee swipes his access card to enter the company building, a claims processing web service validates the SAML token of an incoming web service request, ... More...
Security Design Principles
Least Privilege The principle of least privilege means that an individual or a process should be given the minimum level of privileges to access information resources in order to perform a task. This will reduce the chance of unauthorized access to information. For example, if a user only needs to read a file, then he should not be given the permission to modify the file. Separation of Duties The principle of separation of duties means that when possible, you should require more than one person to complete a critical task. The primary objective of separation of ... More...
Risk Management Concepts
Risk Management Processes (NIST SP 800-30)
There are many different risk management methodology frameworks. The most commonly adopted is NIST SP 800-30. What is NIST SP 800-30? NIST SP 800-30 is the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30. This special publication is entitled “Risk Management Guide for Information Technology Systems”. It provides a guide for the development of an effective risk management program for an organization’s IT systems. The goal of NIST SP 800-30 is to help organizations to better manage information risks. In addition, NIST SP 800-30 provides information on the selection of cost-effective security controls. ... More...
Security Categorization (FIPS-199)
What is FIPS-199? FIPS Publication 199 provides a standard to categorize all information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels. Basically, according to FIPS-199, security categorization categorizes an information type and an information system based on the business impact of the loss of confidentiality, integrity, and availability of the information type or information system. Security Categorization of an Information Type The security categorization (SC) of an information type is specified by combining the impact from loss of confidentiality, integrity, and availability for ... More...