lightning talks
DESCRIPTION
Lightning Talks. Presented at Better Software 2005 By Matt Heusser … and the gang. [email protected]. Timothy Lister. Atlantic Systems Guild Overwhelm ‘em with estimates [email protected]. Ryan English. - PowerPoint PPT PresentationTRANSCRIPT
Ryan EnglishSPI Dynamics
The Road to Secure Software Nirvana:Web Application Security in Quality Assurance
Web Applications Breach the Perimeter
Corporate I nside
Trusted Inside
DMZInternet
IISSunOneApache
ASP.NETJ2EE
MS-SQLORACLE
DB2
Firewall allows applications on the web server to talk to application server.
Firewall allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.
Any – Web Server: 80
Firewall allows application server to talk to database server.
HTTP/HTTPS
Examples of Application Security Vulnerabilities
Platform
Administration
Application
Web application vulnerabilities occur in multiple areas.
Known Vulnerabilities
Platform
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Administration
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
Application
Why should QA be concerned about Application Security?
Design
1 X
Development
Static Analysis
6.5X
Testing
Integration Testing
System/Acceptance Testing
15X
Deployment
Customers In the Field
100XThis is the cost to fix a security defect.
What would the cost be if you were actually hacked?
QE Industry Round Table
• Why– To learn from other organizations and share best
practices• What
– Discuss a topic of mutual interest (e.g. Performance, Internationalization, RCAs, Metrics)
– 2-3 short presentations followed by group discussion• Who
– QE managers from local companies• When
– Once per quarter, for an afternoon
Melissa W. FrailThe MathWorks, IncBetter Software 2005
Getting Started
• Identify Participants– Invite contacts at other companies– Network within your company – Talk to new hires about their previous companies
• Ground Rules– No NDAs – share what you are comfortable sharing– No recruiting
Melissa W. FrailThe MathWorks, IncBetter Software 2005
Matthew HeusserSecrets of the Baby [email protected]
The Word Test
• “When was the first time you heard the word test?”
• “Where were you when you first heard the word test”?
• “How did the word test make you feel”?
Usual Answer
• “It was my third grade teacher at school, and I felt nervous and afraid.”
• Less Frequent - “It was my third grade teacher, and I was happy and excited to show how smart I was.”
Openness to Testing
• “I’m sure there is nothing wrong with the software, so go ahead and test it, better you find defects than our customers.”
More Common
• “There is no need to test my software because there is nothing wrong with it.”
• “You are not qualified to test my software because you don’t know as much as I do about it.”
• “If any Test Engineers come into our office again to test our software we will throw them through the third floor window.”
Don’t Call It Testing Table
A B C 1. Rapid 1. Quality 1. Assurance 2. Unified 2. Verification (and) 2. Validation 3. Agile 3. Experimental 3. Trails 4. Meta 4. Examination 4. Study 5. Flexible 5. Observational 5. Demonstration 6. Tailored 6. Conceptual 6. Prediction 7. Scalable 7. Acceptance 7. Proof 8. Integrated 8. Criterion 8. Scoring 9. Independent 9. Requirement 10. Observed 10. Satisfaction 11. Customer Based 12. <none>
Don’t Call It a Bug Table
A B 1. Potential 1. Anomaly 2. Suspect 2. Correctness 3. Tentative 3. Believability 4. Pseudo 4. Certainty 5. Unresolved 5. Convergence 6. Unstable 6. Correlation 7. Irregular 7. Correctitude 8. Arbitrary 8. Correspondence 9. Random 9. Censure 10. Fuzzy 10. Result 11. Biased 11. Presentation
Bug Free Software?
• “The software was so good that the developers felt it to be without bugs and not necessary to test. We did, however, perform some Rapid Requirement Proofs and found a number of cases of Irregular Convergence and Biased Believability. These findings were handled by the developers as trivial enhancements, which have now been fully implemented, and we are ready to ship after performing the mandatory Independent Observational Scoring.”
Facts & Assumptions
Facts are known - How many widgets did we sell last year?
Assumptions are placeholders for facts - How many widgets will we sell next year?
Thanks for coming!
Lightning talks will be at STARWest and other upcoming conferences!
Call for presentations - http://www.sqe.com/lightningtalks.asp
and http://www.xndev.com/Speaking.htm