SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
4/16/2009Awareness What Why When WhoDefects are reported late in sdlcSecurity engineering model is not well integratedwith standard sdlc Security Testing 3Formal security requirements to be identifiedSecurity compliance needs to taken in account indesign phaseProcess to be integrated in sdlcTest strategy for security testingQuality Time to be allocated for building securesoftware at all levels: requirement, design, coding,testing.Engineering teams, qa teams needs training Security Testing 4 2
4/16/2009 Scope of security testing Identify risks Prioritization on risks Regulatory Compliance Define threat model to be used (can be based on MS security threat model, OSSTMM) Training requirements Testing during Sustenance Available tools, solutions, cost, time Security Testing 7Tools Available HP Application security center Microsoft Visual studio team edition IBM Appscan Various small utilities. 4
4/16/2009Application Security CenterA complete application lifecycle solution DevInspect’s hybrid analysis ensures code under development is secure QAInspect verifies the security of the entire application during QA WebInspect provides pre- and post- production application and environment security analysis Assessment Management Platform enforces security policies and manages activities across the lifecycle Security Testing 9 Regulatory compliance Industry regulations and SOX 404 standards HIPAA FFIEC PCI OWASP Top 10 / Guides GLBA SCADA Security CA SB1386 / State OASIS Notification Laws ISO 17799 BASEL II FISMA EU Data Protection Directive Security Testing 10 5
4/16/2009Before we close Know the 5 Ws The bare minimum is knowing the who, what, where, when, and why for each feature Design & Validate Security into the Product Several legal requirements should be considered in testing, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Computer Fraud and Abuse Act (CFAA), and California (CA) SB1386. Never Run Tests as an Administrator/ Root Understand limitations of tools Keep updating methodology, tools Not all software security programs are identical, build a program to Security Testing meet your needs 11Credits http://en.wikipedia.org/wiki/Wiki http://www.isecom.org/osstmm/ http://www.hp.com http://www.ibm.com http://www.microsoft.com 6