Bhushan Gupta, Gupta Consulting LLC.
Penetration is the most prevalent testing method used today for validating web application security. The question is, “does it cover all the basics?” Penetration testing is a black-box type testing that a QA engineer applies from the hacker’s perspective. While it provides a comfort level, it does not ensure that the application has been developed with security in mind and that it meets the three basic requirements of security namely, Confidentiality, Integrity, and Availability (CIA). The CIA framework builds intrinsic security and thus ensures an increased confidence level. The framework should be complemented with the penetration testing.
Designed for developers and QA professionals (DevOps) this workshop dwells into the requirements of CIA, starting with confidentiality as the key element. It then reviews the OWASP Top 10 vulnerabilities, establishes the root causes and the remediation approach, and discusses how OWASP Top 10 vulnerabilities violate the CIA requirements. Using an example project, the participants develop an acceptance criteria for each requirement as they would for a story/epic in an agile development. This acceptance criteria provides the basis for a test plan that spans over both static code analysis and runtime (traditional) testing. The participants apply the DREAD model to determine the defect severity so that the high-risk vulnerabilities are removed first from the application. The participants then learn how to report their test results so that the management can make a data-driven release decision.
When the workshop is completed, the attendees will be able to:
- Process to determine security requirements using security CIA principles
- Identification of security sensitive components of a web application using STRIDE model
- Designing a security test plan that includes both static and dynamic code analysis
- Prioritization of vulnerabilities using DREAD model
- Preparing security reports to make release decisions