Moutasm Tamimi, profile picture
Uploaded byMoutasm Tamimi
PPTX, PDF984 views

An integrated security testing framework and tool

The document presents an integrated security testing framework for the secure software development life cycle (SSDLC). The framework includes four main phases: 1) defining security guidelines based on enterprise security requirements for each SSDLC phase, 2) constructing security test cases based on the guidelines, 3) executing test cases by integrating various security testing tools, and 4) converging results from different tools using a meta-vulnerability data model. The framework aims to adopt security activities into each SSDLC phase to improve security, generate test cases, integrate testing tools, and provide accurate results. It was evaluated through prototype testing of 50 software projects.

Embed presentation

Downloaded 26 times
An Integrated Security Testing Framework For Secure Software Development Life Cycle Presented by: Moutasm Tamimi Software Engineering 2017 Published by: Yuan-Hsin Tung* , Sheng-Chen Lo, Jen-Feng Shih, and Hung-Fu Lin, 2016
Outline • Overview • Integration testing • Testing Methodologies • Defect/error/ bug • Integrated security testing • Examples of security testing • Paper Analyses • Paper Background • Paper Objectives • Paper Evaluation process • Introduction • Research method • Related works • Integrated Security Testing Framework • System Design And Implementation • Conclusion
Overview
Integration testing • Integration testing: is the phase in software testing in which individual software modules are combined and tested as a group. It occurs after unit testing and before validation testing. Integration testing takes as its input modules that have been unit tested, groups them in larger aggregates, applies tests defined in an integration test plan to those aggregates, and delivers as its output the integrated system ready for system testing. Martyn A Ould & Charles Unwin (ed), Testing in Software Development, BCS (1986), p71. Accessed 31 Oct 2014
Testing Methodologies https://www.inflectra.com/ideas/topic/testing-methodologies.aspx
• A defect is an error or a bug, in the application which is created. A programmer while designing and building the software can make mistakes or error. These mistakes or errors mean that there are flaws in the software. These are called defects. • A threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm Defect/ Error/ Bug
8 Threats
Threats, Controls, and Vulnerabilities. • Water is the threat • Crack is vulnerability • Control: the man is placing his finger in the hole, controlling the threat of water leaks . Vulnerabilities: is a weakness in the security system A threat : is a set of circumstances that has the potential to cause loss or harm. (is a possible danger that might exploit a vulnerability) A threat is blocked by control of a vulnerability Attack: exploitation of one or more vulnerabilities by a threat; tries to defeat controls
Integrated security testing • Integration tests aim to test the functionality of collaborating classes, including functionality provided by the Application server. • Integration tests can be conducted using Mock objects or by running the tests within the container. • In-container testing has the benefit of allowing developers to test the security services provided by the container such as access control and encryption. • Compared to unit tests, many more security controls can be tested using integration tests. De Vries, S. (2006). Security TestingWeb Applications throughout Automated Software Tests. Corsaire Ltd, 3.
Example: software security process into SDLC processes
Examples of security testing
Other examples • https://www.slideshare.net/moutasmtamimi/sql-injection- clickjacking-attacks
Paper Analyses
Paper background • Hundreds of vulnerabilities and security defects are disclosed by hackers, developers, and users. • The better way to improve software security is to enhance security process into SDLC processes. • To keep software secure, security enhancement of the SDLC process involves lots of practices and activities to achieve goal of security.
Objectives • The main goal of paper was how to adopt these activities well to improve software security by integrated security testing framework for secure software development life cycle. • Apply security activities and practices of SSDLC to generate security guidelines. • Integrate security testing tools as a platform to provide testing service and converge testing results of tools to improve accurate of test.
Paper Evaluation process Prototype system 50 software developing projects (multi-case studies)
Introduction • Security is an important thing to develop any software. • There are commercial tools and open source software developed for detecting security vulnerabilities to fix the threats. • Defects are addressed in each phase of software development life cycle (SDLC), requirements phase, designing phase, developing phase, and testing phase.
There is no integrated tool can detect all defects in SDLC
Vulnerabilities can be traced in software because of: Bad analysis Bad design Poor development method
Facts • Secure software is not easy to achieve and it is demonstrated that improvements to the software development process can help to minimize the number of vulnerabilities in developing software • SSDLC process involves lots of security practices and activities to achieve goal of security. How to adopt these activities well to improve software security is an important problem.
Research method • The case study was through the prototype system that can provide quality and stable service. 50 Software developing projects 200 Programmers
Related works Security models in the software development life cycle Description Microsoft Security Development Lifecycle (Microsoft SDL) Is a software development process used and proposed by Microsoft to reduce software maintenance costs and increase reliability of software concerning software security related bugs Building Secure Software Is developing a maturity model, which would imply to change the way organizations work Open Web Application Security Project (OWASP) is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Activities in Microsoft SDL
A structure overview of SAMM
An Overview of Integrated Security Testing Framework
Four main phases of proposed framework 1. Define security guidelines to meet security goal by analysing enterprise’s security requirements of each phases of SSDLC. 2. Construct security test cases according to security guideline. 3. Execute test cases, by integrating various security testing tools and adopt API to execute test automatically. 4. Converge testing results from different testing tools, we propose meta- vulnerability data model to describe the features of vulnerability.
Phases of proposed framework Security guidelines Build security test cases Execute test cases Converge testing
Overview of integrated security testing framework
Phase 1: Requirement Development • The main goal: To analyse the security requirement in development life cycle of enterprise and establish security guideline. • To develop security guideline, by analysing security requirement which consists of three steps: 1. Security requirement analysis: 2. Security risk assessment: 3. Security guideline development:
Step 1: security guideline Security requirement analysis: 1. identify security practices and activities as security requirements 2. enumerate all potential security issues in requirements phase and design phase. Fact: Defining and integrating security requirements in early SSDLC phase can help it easier to identify key security issues and minimize threats in later phases, design, implementation, verification, and release.
The STRIDE threat list is an example of security issues • STRIDE is a threat classification model developed by Microsoft for thinking about computer security threats. • The threat categories are: 1. Spoofing of user identity 2. Tampering 3. Repudiation 4. Information disclosure (privacy breach or data leak) 5. Denial of service (D.o.S) 6. Elevation of privilege
Step 2: Security risk assessment: • Evaluate all identified security issues by security risk assessment • Applying a structured approach to threat scenarios helps enterprise more effectively and less expensively to identify security issues, determine risks from those threats, and establish appropriate mitigations
DREAD an example of structured approach DREAD model is a classification scheme for quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat. The categories are: 1. Damage - how bad would an attack be? 2. Reproducibility - how easy is it to reproduce the attack? 3. Exploitability - how much work is it to launch the attack? 4. Affected users - how many people will be impacted? 5. Discoverability - how easy is it to discover the threat?
Step 3: Security guideline development Develop candidate security issues and transform them into security guidelines and technique specifications Security guidelines : are a collection of practices checklist that may contain code style, security specification, and security function.
Phase 2: Test Case Construction Phase • According to security requirements and security guideline Generate test case Design test case Requirements specifications Test plan Test script (testers) Part 1: Test Case Construction
Phase 2: Test Case Construction Phase • According to the Test case management Store test case into the test case base Executing tools 4 types of test cases: 1. Automatic 2. Semi-Automatic 3. Manual 4. Code Review. Store test scripts and reuse test scripts automatically Execute test case with security testing tools Part 2: Test case management
Phase 3: Tool Integration • Part 1: Security Tester Integration • By testing tool based on the proposed framework. • Authors applied a framework for Web security - Testing-as-a-Service (TaaS) in cloud environment technique to integrate testing tools. Because of various interfaces of security testing tools. • Define a common application programming interface (API) to perform testers. • It can control and access testing tools by API Tung, Y. H., Lin, C. C., & Shan, H. L. (2014, April). Test as a Service: A framework for Web security TaaS service in cloud environment. In Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on (pp. 212-217). IEEE.
Phase 3: Tool Integration Part 2: Security Tester Execution: 1. Execute test case automatically after security tester integration. 2. Use open API to drive tester to perform test case. 3. The automated test tool, called tester controlled by controller without human intervention, will be conducted to execute test cases.
Phase 4: Result Analysis Phase Part 1: Fusion Data Modelling • Static testing often checks syntax and data flow as static program analysis. • Dynamic testing detects the vulnerabilities by actually performing the attack when the program is running. • To fuse various testing results, by defining a meta-data model to represent vulnerabilities. • divide testing results into three main parts: 1. Project Detail, 2. Scan Configuration, 3. Detected Vulnerability.
Phase 4: Result Analysis Phase Part 2: Testing Result Analysis 1. Compare testing results from different testing sources at same baseline based on data model. 2. Compare the testing report from different testing source
System Design And Implementation • By integrating three types of security testing tools into our prototype system Goal Tools Description Source code analyzer Fortify SCA, Checkmarx Code Analysis Support code review in the implementation phase of SSDLC Web application scanner HP WebInspect, Acunetix Web Vulnerability Scanner, IBM AppScan Support verification in the testing phase Host vulnerability scanner MVM Support host scanning in the deployed environment of operation phase
Five main modules of the system 1-User interface 2- Controller 3- Tester 4-Repository 5- Result analyser. • By fusing testing results and compare the testing results from different sources.
Conclusion • Proposed an integrated security testing framework for secure software development life cycle. • Adopt security activities and practices of SSDLC to generate security guidelines and security test cases. • Integrate security testing tools to execute test cases automatically with our proposed framework • To provide quality and stable service and perform security issue under software development to the systems
References  Martyn A Ould & Charles Unwin (ed), Testing in Software Development, BCS (1986), p71. Accessed 31 Oct 2014  https://www.inflectra.com/ideas/topic/testing-methodologies.aspx  De Vries, S. (2006). Security TestingWeb Applications throughout Automated Software Tests. Corsaire Ltd, 3.  https://www.slideshare.net/moutasmtamimi/sql-injection-clickjacking-attacks  Tung, Y. H., Lin, C. C., & Shan, H. L. (2014, April). Test as a Service: A framework for Web security TaaS service in cloud environment. In Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on (pp. 212-217). IEEE.  http://capstonesecurity.com/services/application-development/
Speaker Information  Moutasm tamimi  Independent Consultant , IT Researcher , CEO at ITG7  Instructor of: Project Management. DBMS Specialist. .NET Applications. Digital Marketing. – Email: tamimi@itg7.com Click Here Click HereITG7 Click Here
An integrated security testing framework and tool

More Related Content

PPTX
Software Testing Life Cycle Unit-3
byRaj vardhan
 
PPTX
ISO 29110 Software Quality Model For Software SMEs
byMoutasm Tamimi
 
PPT
Software Engineering Fundamentals
byRahul Sudame
 
PDF
Validation & verification software engineering
bySweta Kumari Barnwal
 
PPTX
Critical Success Factors along ERP life-cycle in Small medium enterprises
byMoutasm Tamimi
 
PDF
Process improvement & service oriented software engineering
bySweta Kumari Barnwal
 
PPTX
Software Quality Models: A Comparative Study paper
byMoutasm Tamimi
 
PPTX
Reengineering PDF-Based Documents Targeting Complex Software Specifications
byMoutasm Tamimi
 
Software Testing Life Cycle Unit-3
byRaj vardhan
 
ISO 29110 Software Quality Model For Software SMEs
byMoutasm Tamimi
 
Software Engineering Fundamentals
byRahul Sudame
 
Validation & verification software engineering
bySweta Kumari Barnwal
 
Critical Success Factors along ERP life-cycle in Small medium enterprises
byMoutasm Tamimi
 
Process improvement & service oriented software engineering
bySweta Kumari Barnwal
 
Software Quality Models: A Comparative Study paper
byMoutasm Tamimi
 
Reengineering PDF-Based Documents Targeting Complex Software Specifications
byMoutasm Tamimi
 

What's hot

PDF
Software testing
byAbrianto Nugraha
 
PPT
Chapter 15 software product metrics
bySHREEHARI WADAWADAGI
 
PPTX
Software testing
byAman Adhikari
 
PPT
Software Testing (Usability Testing of Website)
byuniversity of education,Lahore
 
PDF
Chapter 3 - Performance Testing in the Software Lifecycle
byNeeraj Kumar Singh
 
PPTX
Software Reliability
byGurkamal Rakhra
 
PPTX
Ch 7 integrating quality activities in the projectlife cycle
byKittitouch Suteeca
 
PPTX
Ch 9 traceability and verification
byKittitouch Suteeca
 
PPTX
Software quality
bySara Mehmood
 
PPT
Pressman ch-22-process-and-project-metrics
bySeema Kamble
 
PPT
Software Change in Software Engineering SE27
bykoolkampus
 
PPTX
Chap2 RE processes
byIan Sommerville
 
PDF
Software evaluation competency, criteria, quality
byvasishta bhargava
 
DOCX
SDLC Model
byUniversity of Dhaka
 
PPTX
What is Software Quality and how to measure it?
byDenys Zaiats
 
PPTX
WORKFLOW OF THE PROCESS IN SPM
bygarishma bhatia
 
PPTX
Web Testing
bysmita gupta
 
PDF
Relational Analysis of Software Developer’s Quality Assures
byIOSR Journals
 
PDF
Quality Attribute: Testability
byPranay Singh
 
PPT
Chapter3 part3-cmm-for-cis6516
byZUbaria Inayat
 
Software testing
byAbrianto Nugraha
 
Chapter 15 software product metrics
bySHREEHARI WADAWADAGI
 
Software testing
byAman Adhikari
 
Software Testing (Usability Testing of Website)
byuniversity of education,Lahore
 
Chapter 3 - Performance Testing in the Software Lifecycle
byNeeraj Kumar Singh
 
Software Reliability
byGurkamal Rakhra
 
Ch 7 integrating quality activities in the projectlife cycle
byKittitouch Suteeca
 
Ch 9 traceability and verification
byKittitouch Suteeca
 
Software quality
bySara Mehmood
 
Pressman ch-22-process-and-project-metrics
bySeema Kamble
 
Software Change in Software Engineering SE27
bykoolkampus
 
Chap2 RE processes
byIan Sommerville
 
Software evaluation competency, criteria, quality
byvasishta bhargava
 
SDLC Model
byUniversity of Dhaka
 
What is Software Quality and how to measure it?
byDenys Zaiats
 
WORKFLOW OF THE PROCESS IN SPM
bygarishma bhatia
 
Web Testing
bysmita gupta
 
Relational Analysis of Software Developer’s Quality Assures
byIOSR Journals
 
Quality Attribute: Testability
byPranay Singh
 
Chapter3 part3-cmm-for-cis6516
byZUbaria Inayat
 

Similar to An integrated security testing framework and tool

PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
byDilum Bandara
 
PDF
Security in the Software Development Life Cycle (SDLC)
byFrances Coronel
 
PPTX
Software security testing
bynehabsairam
 
PPTX
Topic 26 Security Testing Considerations.pptx
bymarutnand8
 
PPTX
Topic 26 Security Testing Considerations.pptx
bymarutnand8
 
PPT
Software Security Engineering
byMarco Morana
 
PPTX
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
PDF
From Development to Deployment- Embedding Security Testing in Every QA Stage.pdf
bymadhusudhanarao52
 
PDF
SDLC & DevSecOps
byIrina Kostina
 
PDF
Building a Fortress - How to Integrate Security Testing into Your QA Process.pdf
bymadhusudhanarao52
 
PDF
Secure Software Development Lifecycle - Devoxx MA 2018
byImola Informatica
 
PPTX
Software devlopment security
bySuraj Singh
 
PPTX
Enumerating software security design flaws throughout the ssdlc cosac - 201...
byJohn M. Willis
 
PPTX
Enumerating software security design flaws throughout the SSDLC
byJohn M. Willis
 
PPTX
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
PPT
csce201 - software - sec Basic Security.ppt
bygealehegn
 
PPTX
Integrating security into the application development process
byJerod Brennen
 
PDF
AppsSec In a DevOps World
byParasoft
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
byDilum Bandara
 
Security in the Software Development Life Cycle (SDLC)
byFrances Coronel
 
Software security testing
bynehabsairam
 
Topic 26 Security Testing Considerations.pptx
bymarutnand8
 
Topic 26 Security Testing Considerations.pptx
bymarutnand8
 
Software Security Engineering
byMarco Morana
 
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
AppSec in an Agile World
byDavid Lindner
 
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
From Development to Deployment- Embedding Security Testing in Every QA Stage.pdf
bymadhusudhanarao52
 
SDLC & DevSecOps
byIrina Kostina
 
Building a Fortress - How to Integrate Security Testing into Your QA Process.pdf
bymadhusudhanarao52
 
Secure Software Development Lifecycle - Devoxx MA 2018
byImola Informatica
 
Software devlopment security
bySuraj Singh
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
byJohn M. Willis
 
Enumerating software security design flaws throughout the SSDLC
byJohn M. Willis
 
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
csce201 - software - sec Basic Security.ppt
bygealehegn
 
Integrating security into the application development process
byJerod Brennen
 
AppsSec In a DevOps World
byParasoft
 

More from Moutasm Tamimi

PPTX
Best Practices For Business Analyst - Part 3
byMoutasm Tamimi
 
PPTX
Software Evolution and Maintenance Models
byMoutasm Tamimi
 
PPTX
Software evolution and maintenance basic concepts and preliminaries
byMoutasm Tamimi
 
PPTX
SQL Injection and Clickjacking Attack in Web security
byMoutasm Tamimi
 
PPTX
Asp.net Programming Training (Web design, Web development)
byMoutasm Tamimi
 
PPTX
Concepts Of business analyst Practices - Part 1
byMoutasm Tamimi
 
PPTX
Software Quality Assessment Practices
byMoutasm Tamimi
 
PPTX
Windows form application - C# Training
byMoutasm Tamimi
 
PPTX
Database Management System - SQL beginner Training
byMoutasm Tamimi
 
PPTX
Recovery in Multi database Systems
byMoutasm Tamimi
 
PPTX
Database Management System - SQL Advanced Training
byMoutasm Tamimi
 
PPTX
Measurement and Quality in Object-Oriented Design
byMoutasm Tamimi
 
PPTX
Critical Success Factors (CSFs) In International ERP Implementations with que...
byMoutasm Tamimi
 
Best Practices For Business Analyst - Part 3
byMoutasm Tamimi
 
Software Evolution and Maintenance Models
byMoutasm Tamimi
 
Software evolution and maintenance basic concepts and preliminaries
byMoutasm Tamimi
 
SQL Injection and Clickjacking Attack in Web security
byMoutasm Tamimi
 
Asp.net Programming Training (Web design, Web development)
byMoutasm Tamimi
 
Concepts Of business analyst Practices - Part 1
byMoutasm Tamimi
 
Software Quality Assessment Practices
byMoutasm Tamimi
 
Windows form application - C# Training
byMoutasm Tamimi
 
Database Management System - SQL beginner Training
byMoutasm Tamimi
 
Recovery in Multi database Systems
byMoutasm Tamimi
 
Database Management System - SQL Advanced Training
byMoutasm Tamimi
 
Measurement and Quality in Object-Oriented Design
byMoutasm Tamimi
 
Critical Success Factors (CSFs) In International ERP Implementations with que...
byMoutasm Tamimi
 

Recently uploaded

PDF
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
PDF
DSD-INT 2025 DevOps - Automated testing and delivery of Delft3D FM - van West...
byDeltares
 
PPTX
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
PDF
IAAM Meetup #7 chez Onepoint - Construire un Rag-as-a-service en production. ...
byiaaixmarseille
 
PPTX
Future of Software Testing: AI-Powered Open Source Testing Tools
bySophie Lane
 
PDF
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
PDF
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
PPTX
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
PDF
Testing in Terraform: only for platform nerds?
byQAware GmbH
 
PDF
An Agent Walks Into a Bar... and Meets Another Agent: Multi-Agent Systems in ...
byMaxim Salnikov
 
PPTX
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
PDF
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
PDF
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
PPTX
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
PDF
DSD-INT 2025 Validation of SFINCS on Historical River Floods at the Global Sc...
byDeltares
 
PDF
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
DSD-INT 2025 Building-Aware Flood and Lifeline Scour Modeling with Delft3D FM...
byDeltares
 
PDF
DSD-INT 2025 The Sinterklaas Storm in the Southwest of the Netherlands - Wope...
byDeltares
 
PDF
DSD-INT 2025 How mangroves and past land-use change are affecting compound fl...
byDeltares
 
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
DSD-INT 2025 DevOps - Automated testing and delivery of Delft3D FM - van West...
byDeltares
 
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
IAAM Meetup #7 chez Onepoint - Construire un Rag-as-a-service en production. ...
byiaaixmarseille
 
Future of Software Testing: AI-Powered Open Source Testing Tools
bySophie Lane
 
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
Testing in Terraform: only for platform nerds?
byQAware GmbH
 
An Agent Walks Into a Bar... and Meets Another Agent: Multi-Agent Systems in ...
byMaxim Salnikov
 
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
DSD-INT 2025 Validation of SFINCS on Historical River Floods at the Global Sc...
byDeltares
 
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
DSD-INT 2025 Building-Aware Flood and Lifeline Scour Modeling with Delft3D FM...
byDeltares
 
DSD-INT 2025 The Sinterklaas Storm in the Southwest of the Netherlands - Wope...
byDeltares
 
DSD-INT 2025 How mangroves and past land-use change are affecting compound fl...
byDeltares
 

An integrated security testing framework and tool

  • 1.
    An Integrated SecurityTesting Framework For Secure Software Development Life Cycle Presented by: Moutasm Tamimi Software Engineering 2017 Published by: Yuan-Hsin Tung* , Sheng-Chen Lo, Jen-Feng Shih, and Hung-Fu Lin, 2016
  • 2.
    Outline • Overview • Integrationtesting • Testing Methodologies • Defect/error/ bug • Integrated security testing • Examples of security testing • Paper Analyses • Paper Background • Paper Objectives • Paper Evaluation process • Introduction • Research method • Related works • Integrated Security Testing Framework • System Design And Implementation • Conclusion
  • 4.
  • 5.
    Integration testing • Integrationtesting: is the phase in software testing in which individual software modules are combined and tested as a group. It occurs after unit testing and before validation testing. Integration testing takes as its input modules that have been unit tested, groups them in larger aggregates, applies tests defined in an integration test plan to those aggregates, and delivers as its output the integrated system ready for system testing. Martyn A Ould & Charles Unwin (ed), Testing in Software Development, BCS (1986), p71. Accessed 31 Oct 2014
  • 6.
  • 7.
    • A defectis an error or a bug, in the application which is created. A programmer while designing and building the software can make mistakes or error. These mistakes or errors mean that there are flaws in the software. These are called defects. • A threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm Defect/ Error/ Bug
  • 8.
  • 9.
    Threats, Controls, andVulnerabilities. • Water is the threat • Crack is vulnerability • Control: the man is placing his finger in the hole, controlling the threat of water leaks . Vulnerabilities: is a weakness in the security system A threat : is a set of circumstances that has the potential to cause loss or harm. (is a possible danger that might exploit a vulnerability) A threat is blocked by control of a vulnerability Attack: exploitation of one or more vulnerabilities by a threat; tries to defeat controls
  • 10.
    Integrated security testing •Integration tests aim to test the functionality of collaborating classes, including functionality provided by the Application server. • Integration tests can be conducted using Mock objects or by running the tests within the container. • In-container testing has the benefit of allowing developers to test the security services provided by the container such as access control and encryption. • Compared to unit tests, many more security controls can be tested using integration tests. De Vries, S. (2006). Security TestingWeb Applications throughout Automated Software Tests. Corsaire Ltd, 3.
  • 11.
    Example: software securityprocess into SDLC processes
  • 12.
  • 13.
  • 14.
  • 15.
    Paper background • Hundredsof vulnerabilities and security defects are disclosed by hackers, developers, and users. • The better way to improve software security is to enhance security process into SDLC processes. • To keep software secure, security enhancement of the SDLC process involves lots of practices and activities to achieve goal of security.
  • 16.
    Objectives • The maingoal of paper was how to adopt these activities well to improve software security by integrated security testing framework for secure software development life cycle. • Apply security activities and practices of SSDLC to generate security guidelines. • Integrate security testing tools as a platform to provide testing service and converge testing results of tools to improve accurate of test.
  • 17.
    Paper Evaluation process Prototypesystem 50 software developing projects (multi-case studies)
  • 18.
    Introduction • Security isan important thing to develop any software. • There are commercial tools and open source software developed for detecting security vulnerabilities to fix the threats. • Defects are addressed in each phase of software development life cycle (SDLC), requirements phase, designing phase, developing phase, and testing phase.
  • 19.
    There is nointegrated tool can detect all defects in SDLC
  • 20.
    Vulnerabilities can betraced in software because of: Bad analysis Bad design Poor development method
  • 21.
    Facts • Secure softwareis not easy to achieve and it is demonstrated that improvements to the software development process can help to minimize the number of vulnerabilities in developing software • SSDLC process involves lots of security practices and activities to achieve goal of security. How to adopt these activities well to improve software security is an important problem.
  • 22.
    Research method • Thecase study was through the prototype system that can provide quality and stable service. 50 Software developing projects 200 Programmers
  • 23.
    Related works Security modelsin the software development life cycle Description Microsoft Security Development Lifecycle (Microsoft SDL) Is a software development process used and proposed by Microsoft to reduce software maintenance costs and increase reliability of software concerning software security related bugs Building Secure Software Is developing a maturity model, which would imply to change the way organizations work Open Web Application Security Project (OWASP) is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
  • 24.
  • 25.
  • 26.
    An Overview ofIntegrated Security Testing Framework
  • 27.
    Four main phasesof proposed framework 1. Define security guidelines to meet security goal by analysing enterprise’s security requirements of each phases of SSDLC. 2. Construct security test cases according to security guideline. 3. Execute test cases, by integrating various security testing tools and adopt API to execute test automatically. 4. Converge testing results from different testing tools, we propose meta- vulnerability data model to describe the features of vulnerability.
  • 28.
    Phases of proposedframework Security guidelines Build security test cases Execute test cases Converge testing
  • 29.
    Overview of integratedsecurity testing framework
  • 30.
    Phase 1: RequirementDevelopment • The main goal: To analyse the security requirement in development life cycle of enterprise and establish security guideline. • To develop security guideline, by analysing security requirement which consists of three steps: 1. Security requirement analysis: 2. Security risk assessment: 3. Security guideline development:
  • 31.
    Step 1: securityguideline Security requirement analysis: 1. identify security practices and activities as security requirements 2. enumerate all potential security issues in requirements phase and design phase. Fact: Defining and integrating security requirements in early SSDLC phase can help it easier to identify key security issues and minimize threats in later phases, design, implementation, verification, and release.
  • 32.
    The STRIDE threatlist is an example of security issues • STRIDE is a threat classification model developed by Microsoft for thinking about computer security threats. • The threat categories are: 1. Spoofing of user identity 2. Tampering 3. Repudiation 4. Information disclosure (privacy breach or data leak) 5. Denial of service (D.o.S) 6. Elevation of privilege
  • 33.
    Step 2: Securityrisk assessment: • Evaluate all identified security issues by security risk assessment • Applying a structured approach to threat scenarios helps enterprise more effectively and less expensively to identify security issues, determine risks from those threats, and establish appropriate mitigations
  • 34.
    DREAD an exampleof structured approach DREAD model is a classification scheme for quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat. The categories are: 1. Damage - how bad would an attack be? 2. Reproducibility - how easy is it to reproduce the attack? 3. Exploitability - how much work is it to launch the attack? 4. Affected users - how many people will be impacted? 5. Discoverability - how easy is it to discover the threat?
  • 35.
    Step 3: Securityguideline development Develop candidate security issues and transform them into security guidelines and technique specifications Security guidelines : are a collection of practices checklist that may contain code style, security specification, and security function.
  • 36.
    Phase 2: TestCase Construction Phase • According to security requirements and security guideline Generate test case Design test case Requirements specifications Test plan Test script (testers) Part 1: Test Case Construction
  • 37.
    Phase 2: TestCase Construction Phase • According to the Test case management Store test case into the test case base Executing tools 4 types of test cases: 1. Automatic 2. Semi-Automatic 3. Manual 4. Code Review. Store test scripts and reuse test scripts automatically Execute test case with security testing tools Part 2: Test case management
  • 38.
    Phase 3: ToolIntegration • Part 1: Security Tester Integration • By testing tool based on the proposed framework. • Authors applied a framework for Web security - Testing-as-a-Service (TaaS) in cloud environment technique to integrate testing tools. Because of various interfaces of security testing tools. • Define a common application programming interface (API) to perform testers. • It can control and access testing tools by API Tung, Y. H., Lin, C. C., & Shan, H. L. (2014, April). Test as a Service: A framework for Web security TaaS service in cloud environment. In Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on (pp. 212-217). IEEE.
  • 39.
    Phase 3: ToolIntegration Part 2: Security Tester Execution: 1. Execute test case automatically after security tester integration. 2. Use open API to drive tester to perform test case. 3. The automated test tool, called tester controlled by controller without human intervention, will be conducted to execute test cases.
  • 40.
    Phase 4: ResultAnalysis Phase Part 1: Fusion Data Modelling • Static testing often checks syntax and data flow as static program analysis. • Dynamic testing detects the vulnerabilities by actually performing the attack when the program is running. • To fuse various testing results, by defining a meta-data model to represent vulnerabilities. • divide testing results into three main parts: 1. Project Detail, 2. Scan Configuration, 3. Detected Vulnerability.
  • 41.
    Phase 4: ResultAnalysis Phase Part 2: Testing Result Analysis 1. Compare testing results from different testing sources at same baseline based on data model. 2. Compare the testing report from different testing source
  • 42.
    System Design AndImplementation • By integrating three types of security testing tools into our prototype system Goal Tools Description Source code analyzer Fortify SCA, Checkmarx Code Analysis Support code review in the implementation phase of SSDLC Web application scanner HP WebInspect, Acunetix Web Vulnerability Scanner, IBM AppScan Support verification in the testing phase Host vulnerability scanner MVM Support host scanning in the deployed environment of operation phase
  • 43.
    Five main modulesof the system 1-User interface 2- Controller 3- Tester 4-Repository 5- Result analyser. • By fusing testing results and compare the testing results from different sources.
  • 44.
    Conclusion • Proposed anintegrated security testing framework for secure software development life cycle. • Adopt security activities and practices of SSDLC to generate security guidelines and security test cases. • Integrate security testing tools to execute test cases automatically with our proposed framework • To provide quality and stable service and perform security issue under software development to the systems
  • 45.
    References  Martyn AOuld & Charles Unwin (ed), Testing in Software Development, BCS (1986), p71. Accessed 31 Oct 2014  https://www.inflectra.com/ideas/topic/testing-methodologies.aspx  De Vries, S. (2006). Security TestingWeb Applications throughout Automated Software Tests. Corsaire Ltd, 3.  https://www.slideshare.net/moutasmtamimi/sql-injection-clickjacking-attacks  Tung, Y. H., Lin, C. C., & Shan, H. L. (2014, April). Test as a Service: A framework for Web security TaaS service in cloud environment. In Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on (pp. 212-217). IEEE.  http://capstonesecurity.com/services/application-development/
  • 46.
    Speaker Information  Moutasmtamimi  Independent Consultant , IT Researcher , CEO at ITG7  Instructor of: Project Management. DBMS Specialist. .NET Applications. Digital Marketing. – Email: tamimi@itg7.com Click Here Click HereITG7 Click Here