Software Security Testing Best Practices


	Download our Security Education Curriculum Guide

This is a must-have course for functional testers who need to make the transition to finding security bugs. It is also essential for test managers because it teaches the soup to nuts process of security testing and how this type of testing fits in to the overall QA process. Additionally, software testers, software developers, development and test managers, security auditors and anyone involved in software production for resale or internal use will find it valuable. Attendees will walk away with the skills and techniques to both build a solid security testing team and to expose the most insidious application security vulnerabilities.

COURSE OVERVIEW

How do you find security flaws beyond simple ones like buffer overflows? Most of the current software security testing falls into one of two categories: random corruption of files or network protocols and re-executing existing, known vulnerabilities against new versions of software. However, to find subtle and innovative flaws before hackers do, you need a more regimented, more creative process. In this course, the instructor walks you through a well-organized and technically sophisticated approach that has been used successfully to identify and root out harmful security defects in both commercial and internal software applications. Get the basics on how to conduct a security threat assessment of your systems before or after they go live. Learn how to develop a comprehensive security test strategy and build a team with the right mix of skills and experience to execute it. Discover novel yet disciplined approaches for using fault injection to find security vulnerabilities before your software is exposed to your users and the hackers of the world.

Course Benefits.

Learn how to plan a security testing effort and integrate security testing into your QA process
Learn about risk assessments, test prioritizations and threat modeling
Acquire the skills to recognize and expose the most insidious security vulnerabilities in your applications
Discover tools, techniques and processes to make security an integral part of your release process and to create a security aware culture in your test team.
Learn the many categories of security bugs that may exist in your software and the secrets of application security testing

COURSE OUTLINE

I. Introduction

Where does security testing fit into the product lifecycle?
Definition of a security bug.
The role of a security tester in the organization.
Overview of security testing elements

II. Methodology

Security testing roles
Threat modeling
Risk assessments
Security test planning
Test team organization and management.
Reporting

III. In-Depth Look at Security Vulnerabilities

Note: This section of the course is organized such that each vulnerability type will be analyzed including: vulnerability cause, symptoms, prevention and testing techniques and tools to find them in software.

1.) System-Level

Accepting Arbitrary Files as Parameters
Permitting Relative and Default Paths
Offering Administrative, Software and Service Back Doors
Default or Weak Passwords
Shells, Scripts and Macros
Dynamic Linking and Loading

2.) Data Parsing

Buffer Overflows
Advanced Buffer Overflows
Format String Attacks
Integer Overflows

3.) Information Disclosure

Storing Passwords in Plain Text
Creating Temporary Files
Leaving Things in Memory
The Swap File and Incomplete Deletes
Weekly-Seeded Keys and Random Number Generation
Trusting the Operating System APIs

4.) On the Wire

Trusting the Identity of a Remote Host (Spoofing)
Proprietary Protocols
Volunteering Too Much Information
Loops, Self References and Race Conditions

5.) Web sites

Cross Site Scripting
Forceful Browsing
Parameter Tampering
Cookie Poisoning
Hidden Field Manipulation
SQL Injection
Security on the Client
Trusting the Domain Security Model
Trusting SSL

IV. Conclusion

Applying the techniques
Learning from past mistakes
Case studies

For more information please contact Sales at +1.978.694.1008 x24 or email