Why and how we are investing in Application Security Testing



Similar documents
SWAT PRODUCT BROCHURE

Using an Open Source Threat Model for Prioritized Defense

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Adobe Systems Incorporated

CTERA End-to-End Security. Whitepaper by CTERA Networks

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

MagenTys Testing Services Page 2

Model-Based Vulnerability Testing for Web Applications

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Magento Security and Vulnerabilities. Roman Stepanov

Making your web application. White paper - August secure

Better Software Though Expertise, Collaboration & Automation. BDD, DevOps and Testing

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Application Security Testing How to find software vulnerabilities before you ship or procure code

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

A Strategic Approach to Web Application Security

OWASP Top Ten Tools and Tactics

Cyber Security & Data Privacy. January 22, 2014

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Reducing Application Vulnerabilities by Security Engineering

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Overview of the Penetration Test Implementation and Service. Peter Kanters

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

OWASP TOP 10 ILIA

STS Federal Government Consulting Practice IV&V Offering

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

EVALUATION SECURITY OF THE U.S. DEPARTMENT OF THE INTERIOR S PUBLICLY ACCESSIBLE INFORMATION TECHNOLOGY SYSTEMS

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Where every interaction matters.

elearning for Secure Application Development

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing

Using Free Tools To Test Web Application Security

Smart (and safe) Lighting:

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Test Automation. Full service delivery for faster testing at optimum cost

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web Application Security

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

How To Test A Computer System On A Microsoft Powerbook 2.5 (Windows) (Windows 2) (Powerbook 2) And Powerbook (Windows 3) (For Windows) (Programmer) (Or

Software Quality Testing Course Material

How To Fix A Web Application Security Vulnerability

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation

Successful Strategies for QA- Based Security Testing

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

Web Application Penetration Testing

SAST, DAST and Vulnerability Assessments, = 4

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Security Testing for Developers using OWASP ZAP

05.0 Application Development

IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?

Application Security Testing as a Foundation for Secure DevOps

Development Processes (Lecture outline)

Establishing your Automation Development Lifecycle

Improving your Secure SDLC ( SSDLC ) with Prevoty. How adding real-time application security dramatically decreases vulnerabilities

Business Analysis Manager - IT

Key Points. Indicative productivity has more than doubled in the team by using Agile SCRUM and TFS

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Web Application Report

"Data Manufacturing: A Test Data Management Solution"

CHAPTER 9. DEVELOPING IT SY STEM S Bringing IT System s to Life

Latin ISRM EFFECTIVE APPLICATION SECURITY STRATEGY FOR MANAGING ONGOING PCI-DSS 2.0 COMPLIANCE

Annex B - Content Management System (CMS) Qualifying Procedure

Offshore Delivery of TTCN-3 Testing Services

JVA-122. Secure Java Web Development

ISSECO Syllabus Public Version v1.0

Addressing Cyber Security in Oracle Utilities Applications

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Cloud Security Framework (CSF): Gap Analysis & Roadmap

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Integrating Security Testing into Quality Control

2015 Vulnerability Statistics Report

Submission: Consultation on the Standing Offer Agreement for Quality Professional Service 2 (SOA QPS2)

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Fortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA

Secure development and the SDLC. Presented By Jerry

Security Assessment through Google Tools -Focusing on the Korea University Website

Secure Coding in Node.js

Security Testing & Load Testing for Online Document Management system

Quality Assurance - Karthik

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Implementation Strategy

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

SECURITY AND RISK MANAGEMENT

SERENA SOFTWARE Serena Service Manager Security

Essential IT Security Testing

Service Definition: Agile Business Services

THE WEB HACKING INCIDENTS DATABASE 2009

Beyond ISO Intel's Product Security Maturity Model (PSMM)

Business Solutions Manager Self and contribution to Team. Information Services

Application Security Audit Fault Injection Model, Fuzz Generators & Static Code Analysis. Training Brochure

Transforming industries: energy and utilities. How the Internet of Things will transform the utilities industry

Points of View. CxO s point of view. Developer s point of view. Attacker s point of view

Transcription:

Why and how we are investing in Application Security Testing 1

What I am going to talk about Software testing at the Tax Agency Prestudy of Application Security Testing (AST) and choices Pilot Project for Testing Results and Conclusion

Saeid Mojtahedzadeh Senior Test Manager, Test Strategist and Test specialist 20 years of testing experience in IT, telecom and finance AT Ericsson telecom, Telia AB, CSC(Computer Sciences Corporation),Tele2 AB, OMX Nasdaq, Nexus security, Sogeti AB and Tax Authority in Sweden Certified Project Manager and Scrum Master. Testing and quality manager for large and strategic projects from system testing to the acceptance test level. As a test specialist, I have worked with testing process improvement, different test methodology, test tools, test data management, test environments, test automation and application security testing.

General Test Strategy at the Tax Agency Product risks: FOCUS on faults and errors which have the greatest impact at application TEST Deliverables Requirements: Use Cases Supplementary Requirements System Architecture Design Information model Analysis model Design model Service specification Data model

SR for system development projects Supplementary Requirements: Usability Reliability Performance Supportability Design Constraints User Documentation Interfaces (HW, SW, communications & User) Licensing Requirements Applicable Standards Storage period of data Access control in order to protect data Legal Requirements Security

How software development and testing is done today Production System test System integration test Acceptance test Unit test Integration test Development Test Business Units Clients / Operations

Do we need to start with AST? Functional testing Non functional testing - Performance etc.. Web and Browser testing Automated regression and system testing What about security then? Is it covered according to supplementary specifications?

Decision to start with a prestudy Overview of different options for AST within the Tax Agency Consultation with other stakeholders in the field of application security Must be based on industry standards Include processes, organization, tools and legal issues

Prestudy: Application Security Strategies P r o a c t i v e SSDL: Secure Software Development Lifecycle SAST: Static Application Security Testing DAST: Dynamic Application Security Testing (IAST): Interactive Application Security Testing Monitoring: logs, events, network traffic etc. Reactive

Prestudy: Risk management standards are important! OWASP A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards CWE 1003 entries Contains vulnerability TYPES connected to OWASP categories

Current state: Test of application security Mission from Government Tax Agency Mission Plan Internal regulations, guidelines and process descriptions Coordination between projects and departments No guidelines or official processes Mission carried out

Prestudy: Three alternatives suggested Internal function employ, re-use or educate internal security competence External function purchase AST as a service handling the security test step with expertise Tool box by the Tax Agency chosen security tools which will be available for employees External functions goes hand in hand with the strategy of the Tax Agency as a whole

Pilot projects Projects with different size and development status: Acceptance test Development test System test Presenting the test process Not aiming at security as test, but the test process itself Test carried out on three chosen (live) projects

The result of Pilot projects Integrated well in different projects Little time spent by development projects Reporting according to standards gave easy measurements Input for software development and testing guidelines End of pilot = ready to run live tests for development projects

What happens next Offering AST internally as a service It offers security testing in software development and testing Marketing activities inside of the IT organization How to get projects interested? Cost effective and quick delivery Necessary to do it Two parallel tracks: Update the test process guidelines Run security tests and get projects used to the tests

Lessons Learned With risk in mind Requirements important Competence to execute Updated Test Communicate Implement in SDLC Cost on projects Marketing internally is important! Get people onboard!

Thank you!?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information