In September, I presented "QA Teams Can Improve Software Security!" at the Kansas City Quality Assurance Association chapter meeting. Here is the PowerPoint presentation from that meeting:
Tuesday, October 2, 2012
Monday, August 6, 2012
QA Teams Can Improve Software Security! - Sept. 13, 2012 Presentation at the Kansas City Quality Assurance Association Meeting
Next month, I will be giving a presentation at the Kansas City Quality Assurance Association Meeting. The talk is titled "QA Teams Can Improve Software Security!" The presentation will be on September 13, 2012 at 11:15am at Manny's. Take a look at the KCQAA Website for more details on the location and time.
During the presentation, I will talk about what role QA teams can play in improving software security, how their continuing education, structure, and composition can be improved to make them more effective at finding vulnerabilities, and I will give examples of test case techniques for finding security weaknesses.
In my opinion, testing for security weaknesses (whether its positive or negative testing) is very similar to what QA already does. Security vulnerabilities are just another type of quality defect, and QA teams are well suited to this role. Come check out my presentation and join in the conversation!
Note: As always, testing is just a very small part of software security (which I talk about in the presentation). Good software security programs include portfolio management; training; security requirements; secure architecture, configuration, and coding patterns (think design patterns); validation (positive and negative testing), metrics, and continuous improvement.
Wednesday, April 4, 2012
Higher Expectations for Security Assessments
We've all heard the saying that you can't test security into software, so if we must do these tests, why not demand more value from them. If someone performed a security assessment on my software, I would expect them to contribute knowledge in a meaningful way to help me build better software in the future. I don't think a report with best practices meets that expectation.
Existing Knowledge Base and Patterns
Before we get much further, let's talk about the knowledge and resources I would start with. I know this may not be common in many organizations, but I would expect to have a specific set of secure architecture, configuration, and coding patterns that satisfy security requirements for my application, organization, data protection needs, and the threat actors targeting my application AND these patterns are tailored for the language and frameworks I'm using. These patterns may not be very complete or robust, but they are at least a starting point to be added upon in the future.
For example, if I'm using ASP.NET MVC 3, I will have concrete examples of how to switch out the default HTML encoder within the Web.config file with the Microsoft Web Protection Library (AntiXSS Library) and then have example code that implements HTML or JavaScript encoding within my view such that cross-site scripting attacks are rendered inert (you could also mention input validation, but I skipped it in this example). I would also have examples for configuring the application to require SSL/TLS, secure and HTTPOnly flags on cookies, and other similar security related configuration settings. There are many more possibilities that should be included within this library of patterns. Each would also include one or more validation patterns that ensure a security control is present and working properly such as:
Finally, I would expect the assessor to help link specific weaknesses in my application to techniques commonly used by the threat actors targeting my organization and application.
Existing Knowledge Base and Patterns
Before we get much further, let's talk about the knowledge and resources I would start with. I know this may not be common in many organizations, but I would expect to have a specific set of secure architecture, configuration, and coding patterns that satisfy security requirements for my application, organization, data protection needs, and the threat actors targeting my application AND these patterns are tailored for the language and frameworks I'm using. These patterns may not be very complete or robust, but they are at least a starting point to be added upon in the future.
For example, if I'm using ASP.NET MVC 3, I will have concrete examples of how to switch out the default HTML encoder within the Web.config file with the Microsoft Web Protection Library (AntiXSS Library) and then have example code that implements HTML or JavaScript encoding within my view such that cross-site scripting attacks are rendered inert (you could also mention input validation, but I skipped it in this example). I would also have examples for configuring the application to require SSL/TLS, secure and HTTPOnly flags on cookies, and other similar security related configuration settings. There are many more possibilities that should be included within this library of patterns. Each would also include one or more validation patterns that ensure a security control is present and working properly such as:
- Unit tests
- Automated tests using Capybara, Watir, or other similar frameworks
- QA test cases
- Automated static analysis rules
- Dynamic testing test cases
- Many more...
Security Assessment Expectations
After I receive an assessment report, what do I expect the assessor to provide to me (in addition to a report discussing the issue, risk rating, best practice, etc). First, I would expect a completed test case of some kind to reproduce the issue. This may require collaboration between the developers, QA testers, and the security tester, but I should receive automated (preferable) or manual test cases (detailed instructions for QA to follow for example, probably created by QA while walking through reproduction with the assessor) that I can run at any time to validate whether the vulnerability has been fixed successfully. These test cases may reflect the capabilities of the organization and the validation patterns that already exist.
Second, I would expect the assessor to help evaluate and update existing secure coding, configuration, architecture, and validation patterns to ensure a solution exists for future development.
Third, I would expect the assessor to provide a mini training session (may only be 10 minutes using a web based conferencing solution), explaining the vulnerability, and then support the development lead or architect in training the developers and QA testers in applying the new patterns.
Finally, I would expect the assessor to help link specific weaknesses in my application to techniques commonly used by the threat actors targeting my organization and application.
Subscribe to:
Posts (Atom)
Posts
