Introduction to Risk-Based Security Testing
- The Key Players
- The Software Security Discipline
- What Is Software Security?
- Two Broad Classes of Security Defects
- Security Testing
- Testing Security Functionality
- Managing Risks
- Defining What Security Means for You
Defining Requirements
- Requirements
- Functional Requirements
- Non-Functional Requirements
- Derived Requirements
- Attributes of Good Requirements
- Security Requirements, not Security Features
- Security Requirement Types
- Non-functional Security Requirements
- Derived Security Requirements
- Thinking Backwards
- Automated Teller Machine: A Scenario
- Security Requirements
Getting Started
- Where Do I Start?
- Risk-Based Security Testing Process
- Security Goals
- Guiding Principles for Secure Design
- Risk Classifications
- Putting It All Together
Testing Strategies
- Adding Risk-Based Security Testing
- Integrating the RBST Process
- Using Threat Models
- Using Architecture Risk Analysis Results
- Using Abuse Cases
- What Are You Accomplishing?
- Effective Testing
Resourcing and Players
- Testing Tools
- Think Like an Attacker
- Who Are You Up Against?
Common Risk Areas: Part 1
- Security Coding Error Test Approach
- Kingdom 1: Input Validation and Representation
- SQL Injection
- Cross-Site Scripting (XSS)
- Kingdom 2: API Abuse
- Ignoring Return Values
- Using Deprecated Methods
- Kingdom 3: Security Features
- Privacy Violation
- Default Authentication
- Privilege Abuse
- Handling Secrets
Common Risk Areas: Part 2
- Kingdom 4: Time and State
- Parameter Tampering
- URL Tampering
- Cookie Tampering
- Kingdom 5: Errors
- Exception Handling
- Triggering Errors
- Kingdom 6: Code Quality
- Memory Leaks
- Source Code Comments and Strings
- Kingdom 7: Encapsulation
- Violations of Boundaries Between Components
- Violations of Data Trust Levels
Going Forward
- Trying It All Together
- Your Judgment Is Crucial
- Challenges in Adopting Software Security Testing
- Software Security Framework
- A Software Security Roadmap
- Mature Over Time