|
|
|
STAREAST 2006 Concurrent Sessions
Go To: Agile Methods | Exploratory Testing | Outsourced Testing | Performance Testing | Security Testing |
Special Topics | Test Automation | Test Management | Test Metrics | Test Techniques
View by Date
| Security Testing | | | Thursday, May 18, 2006 1:30 PM |
Security Testing: Are You a Deer in the Headlights?
Ryan English, SPI Dynamics Inc
With frequent reports in the news of successful hacker attacks on Web sites, application security is no longer an afterthought. More than ever, organizations realize that security has to be a priority while applications are being developed—not after. Developers and QA professionals are learning that Web application security vulnerabilities must be treated like any other software defect. Organizations can save time and money by identifying and correcting these security defects early in the development process. Ryan English helps you overcome the “deer in the headlights” look when you are asked to begin testing applications for security issues. See real world examples of company Web sites that have been hacked because of vulnerable applications and see how the attacks could have been avoided.
• Security defect categories and responsibility areas
• How QA professionals can test for security defects using manual testing, open source tools, and integrated automated testing
• Case studies of hacked Web sites |
| | | Thursday, May 18, 2006 3:00 PM |
Model-Based Security Testing
Kyle Larsen, Microsoft Corporation
Preventing the release of exploitable software defects is critical for all applications. Traditional software testing approaches are insufficient, and generic tools are incapable of properly targeting your code. We need to detect these defects before going live, and we need a methodology for detection that is cost-efficient and practical. A model-based testing strategy can be applied directly to the security testing problem. Starting with very simple models, you can generate millions of relevant tests that can be executed in a matter of hours. Learn how to build and refine models to focus quickly on the defects that matter. Kyle Larsen shows you how to create a test oracle that can detect application-specific security defects: buffer overflows, uninitialized memory references, denial of service attacks, assertion failures, and memory leaks. Take back information on the advanced file “fuzzing” techniques Microsoft has used successfully.
• How to build a model and adjust it to find security defects
• Ways to apply the model-based techniques to any product
• Microsoft’s results using this methodology on shipping code |
| |
|
|
