Arvind Srinivasa Babu, McAfee & Deepti Chauhan, McAfee
A product goes through several processes before it is released into the market. An oversimplified process will involve a lot of planning, analysis, design, development, testing and marketing before a release. But how many products involve security in this lifecycle? During a product’s lifecycle, a lot of new features, bug fixes and other development activities take place which essentially means the new code is being added. Though this code might stand up against good product test cases, what is the confidence level that this new code has not opened up a backdoor or added a vulnerability that would allow an attacker to exploit, monitor or cause damage? This paper will explain how some best security practices can be incorporated within a product lifecycle. We will also demonstrate why it is essential to maintain threat models up-to-date for every release which allows automation of security test cases as the product evolves. Automated security test cases allow us to add security as part of a Continuous Integration(CI)/Continuous Delivery(CD) pipeline. There are a number of open source tools that allow testing different aspects of security on a product, we will glance over some of these tools and the functionality they bring to security testing.