Why and how we are investing in Application Security Testing 1
What I am going to talk about Software testing at the Tax Agency Prestudy of Application Security Testing (AST) and choices Pilot Project for Testing Results and Conclusion
Saeid Mojtahedzadeh Senior Test Manager, Test Strategist and Test specialist 20 years of testing experience in IT, telecom and finance AT Ericsson telecom, Telia AB, CSC(Computer Sciences Corporation),Tele2 AB, OMX Nasdaq, Nexus security, Sogeti AB and Tax Authority in Sweden Certified Project Manager and Scrum Master. Testing and quality manager for large and strategic projects from system testing to the acceptance test level. As a test specialist, I have worked with testing process improvement, different test methodology, test tools, test data management, test environments, test automation and application security testing.
General Test Strategy at the Tax Agency Product risks: FOCUS on faults and errors which have the greatest impact at application TEST Deliverables Requirements: Use Cases Supplementary Requirements System Architecture Design Information model Analysis model Design model Service specification Data model
SR for system development projects Supplementary Requirements: Usability Reliability Performance Supportability Design Constraints User Documentation Interfaces (HW, SW, communications & User) Licensing Requirements Applicable Standards Storage period of data Access control in order to protect data Legal Requirements Security
How software development and testing is done today Production System test System integration test Acceptance test Unit test Integration test Development Test Business Units Clients / Operations
Do we need to start with AST? Functional testing Non functional testing - Performance etc.. Web and Browser testing Automated regression and system testing What about security then? Is it covered according to supplementary specifications?
Decision to start with a prestudy Overview of different options for AST within the Tax Agency Consultation with other stakeholders in the field of application security Must be based on industry standards Include processes, organization, tools and legal issues
Prestudy: Application Security Strategies P r o a c t i v e SSDL: Secure Software Development Lifecycle SAST: Static Application Security Testing DAST: Dynamic Application Security Testing (IAST): Interactive Application Security Testing Monitoring: logs, events, network traffic etc. Reactive
Prestudy: Risk management standards are important! OWASP A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards CWE 1003 entries Contains vulnerability TYPES connected to OWASP categories
Current state: Test of application security Mission from Government Tax Agency Mission Plan Internal regulations, guidelines and process descriptions Coordination between projects and departments No guidelines or official processes Mission carried out
Prestudy: Three alternatives suggested Internal function employ, re-use or educate internal security competence External function purchase AST as a service handling the security test step with expertise Tool box by the Tax Agency chosen security tools which will be available for employees External functions goes hand in hand with the strategy of the Tax Agency as a whole
Pilot projects Projects with different size and development status: Acceptance test Development test System test Presenting the test process Not aiming at security as test, but the test process itself Test carried out on three chosen (live) projects
The result of Pilot projects Integrated well in different projects Little time spent by development projects Reporting according to standards gave easy measurements Input for software development and testing guidelines End of pilot = ready to run live tests for development projects
What happens next Offering AST internally as a service It offers security testing in software development and testing Marketing activities inside of the IT organization How to get projects interested? Cost effective and quick delivery Necessary to do it Two parallel tracks: Update the test process guidelines Run security tests and get projects used to the tests
Lessons Learned With risk in mind Requirements important Competence to execute Updated Test Communicate Implement in SDLC Cost on projects Marketing internally is important! Get people onboard!
Thank you!?