Ebook Information security management handbook (Sixth edition, Volume 6): Part 2
➤ Gửi thông báo lỗi ⚠️ Báo cáo tài liệu vi phạmNội dung chi tiết: Ebook Information security management handbook (Sixth edition, Volume 6): Part 2
Ebook Information security management handbook (Sixth edition, Volume 6): Part 2
Chapter 17Building Application Security Testing into the Software Development Life CycleSandy BacikEvery enterprise should utilize an application deve Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 elopment life cycle and within that life cycle there should be an application security architecture. An application security architecture contains a strong foundation of the application, providing controls to protect the confidentiality of information, integrity of data, and access to the data when Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 it is required (availability) and ensuring it is the authorized entities. And an application security architecture carefully considers feature sets, cEbook Information security management handbook (Sixth edition, Volume 6): Part 2
ontrols, safer and reliable processes using the enterprise's security posture. As security controls are developed for an application, they must be tesChapter 17Building Application Security Testing into the Software Development Life CycleSandy BacikEvery enterprise should utilize an application deve Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 owing questions:■Is the process surrounding this function, service, or feature as safe and strong as possible without impacting operational requirements? In other words, is this a flawed process?■If I were a bad entity, how could/would I abuse this function, service, or feature?■If I were an inexper Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 ienced user, how couki/would I use/abuse this function, service, or feature?■Is the function, service, or feature required to be on by default? If so,Ebook Information security management handbook (Sixth edition, Volume 6): Part 2
are there limits or options that could help limit rhe risk from this function, service, or feature?■Have success, failure, and abuse been considered Chapter 17Building Application Security Testing into the Software Development Life CycleSandy BacikEvery enterprise should utilize an application deve Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 ing application objectives, business requirements, use cases, and then test cases. When developing security functions, services, and features within an application that are based on documented requirements, the development of test cases for security should be relatively easy. Many249250 ■ Informatio Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 n Security Management Handbooktimes, this is not the case. The tester must then attempt to build security testing into the quality assurance testing pEbook Information security management handbook (Sixth edition, Volume 6): Part 2
rocesses. If it is the responsibility of the tester to include security testing into their process without rhe support of management and security beinChapter 17Building Application Security Testing into the Software Development Life CycleSandy BacikEvery enterprise should utilize an application deve Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 Building in security requirements and test cases will produce a stronger and more secure application and application development life cycle.Over rhe last decade, many software issues have nor improved. Some of rhe rop software development flaws include rhe following, bur this is not an exhaustive l Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 ist:■Buffer overruns■Format string problems■Integer overflows■SQL and command injection■Failing to handle errors or revealing too much information■CroEbook Information security management handbook (Sixth edition, Volume 6): Part 2
ss-site scripting■Failing to protect network transactions■Use of magic URLs and hidden form fields■Improper use of SSL and TLS■Use of weak authenticatChapter 17Building Application Security Testing into the Software Development Life CycleSandy BacikEvery enterprise should utilize an application deve Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 tyHow can we improve this? Yes, extending the application development life cycle to include more testing, specifically security resting. Without a good foundation to develop security resting, improving rhe security of an application cannot be accomplished. Before developing application rest cases an Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 d testing requirements, standard definitions need to be accepted by the group. For example,■A set of test requirements are technical or administrativeEbook Information security management handbook (Sixth edition, Volume 6): Part 2
actionable statements that are nor subject to interpretation for a tester to develop a rest plan/procedure.■A test case is a step scenario of rhe iteChapter 17Building Application Security Testing into the Software Development Life CycleSandy BacikEvery enterprise should utilize an application deve Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 e test. Ulis would be rhe "how.” For example, a test plan/procedure will contain a requirement, passed, failed, and remarks about the test. A requirement would be something similar to ■‘the time stamp shall be read from the clock off a centralized time source."■A test program is a set or collection Ebook Information security management handbook (Sixth edition, Volume 6): Part 2 of test plans/procedures.■Defining a test requirement-The term “shall” means rhe requirement is required.-The term “should" means the requirement is oEbook Information security management handbook (Sixth edition, Volume 6): Part 2
ptional.Chapter 17Building Application Security Testing into the Software Development Life CycleSandy BacikEvery enterprise should utilize an application deveChapter 17Building Application Security Testing into the Software Development Life CycleSandy BacikEvery enterprise should utilize an application deveGọi ngay
Chat zalo
Facebook