BW12 Session 6/5/2013 3:45 PM "Hybrid Security Analysis: Bridge the Gap Between Inside-Out and Outside-In" Presented by: Arthur Hicken Parasoft Corporation Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ [email protected]∙ www.sqe.com
15
Embed
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
With the rising adoption of the cloud and the mobile revolution, software security is more important and complex than ever. The efforts of developers and testers are frequently disconnected, wasting time and reducing effectiveness. Arthur Hicken describes how hybrid security analysis bridges the gap between static analysis and penetration testing by detecting security vulnerabilities with unprecedented accuracy—and few false positives. Testers receive an instant assessment of where security attacks actually penetrated the application. Unlike traditional penetration testing, this pinpoints where attacks really succeeded—not just areas that may be vulnerable to attack. Hybrid analysis involves running penetration attack scenarios against existing functional test scenarios, monitoring the back-end to determine whether security is actually compromised, and correlating source code with the failed tests so you can trace each error to a particular requirement. Learn the drawbacks of static analysis and penetration testing—and how to turn these drawbacks into strengths.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
BW12 Session 6/5/2013 3:45 PM
"Hybrid Security Analysis: Bridge the Gap Between Inside-Out
and Outside-In"
Presented by:
Arthur Hicken Parasoft Corporation
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ [email protected] ∙ www.sqe.com
Arthur Hicken Parasoft
Arthur Hicken has been involved in automating various practices at Parasoft for more than twenty years. He has worked on projects including database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems. Arthur has worked with IT departments in companies including Cisco, Vanguard, and Motorola to help improve their software development practices. He has developed and conducted numerous technical training courses at Parasoft. An expert in his field, Arthur has been quoted in Business 2.0, Internet Week, and CNET news.com regarding website quality issues.
Hybrid Security AnalysisHybrid Security AnalysisBridge the Gap Between Inside‐out and Outside‐inBridge the Gap Between Inside‐out and Outside‐in
Inside‐outQuick scan to list possible problemsQuick scan to list possible problemsFixing violations prevents certain classes of errorsStatic analysis categories include:
SecurityThreads and SynchronizationPerformance and Optimization
Unit Test OverviewUnit Test Overview
Check smaller piecesEasy to run before application is completeUse to bridge the gap from outside to insideStub and isolate dependenciesPeer review for design
Developers can then mark assertions as correct behavior to increase the severity if those assertions fail in the future
Runtime Error DetectionRuntime Error Detection
Check for anti‐patterns at runtime in the applicationViolations are presented in the context of real‐world data values to stress their importanceRuntime error categories include:
Threads and SynchronizationPerformance and OptimizationApplication Crashes
Automated Unit Test Generation OverviewAutomated Unit Test Generation Overview
Test code branches not covered by the application level testapplication‐level testCombine these unit tests with runtime error detection to check the new execution pathsBuild a baseline regression test suite
Application Tracing for Unit TestsApplication Tracing for Unit Tests
Record internal method calls inside the running application when the problem occursrunning application when the problem occursReplicate the problem in a unit testAlter the unit test to assert the correct behaviorNow possible solutions can be tested quickly
Sophisticated stubs for realistic behaviorIsolate as much as necessary
SummarySummary
Problem solving in web applications is a long and tedious process without proper toolstedious process without proper toolsReplicating the problem in a unit test shortens the code – test cycleStatic code analysis prevents classes of errorsRuntime error detection finds real‐time problemsUnit testing exercises more code paths