-
Tell us what you think
Share your thoughts on application security and software development in this quick survey. Survey
-
Application threats: CSRF, injection attacks and cookie replay
Web application exploits come in a variety of forms. There are a few that stand out: XSS, for example. But what about XSRF, which is only recently garnering the press is deserves? There are comparatively little resources for less famous exploits. But... Learning Guide
-
Learning Guide: Application security testing techniques
Testing applications for security purposes is such a basic, important safety measure that most security professionals wouldn't think twice about it. Explore your options for pen testing, vulnerability analysis, fuzzing and more in this application se... Learning Guide
-
How standards and regulations affect application security
Many standards and laws regulate security issues for companies. Often, however, what's expected is unclear -- especially when it comes to application security. But that is starting to change, as regulations begin including application security mandat... Learning Guide
-
Cartoon: Perils of reporting Web site vulnerabilities
When white hat hackers report discovered vulnerabilities, the outcome isn't always what they expected. Cartoon
-
How to secure Web services
Web application threats abound. If you use Web services with those applications, then there are other security issues you need to be aware of. In fact, some say Web services, if not secured properly, can pose security threats that extend beyond those... Learning Guide
-
Professional Java Development with the Spring Framework, Chapter 10: Acegi Security System for Sprin
Think you know all there is to know about using the Acegi Security System for Spring? We challenge you to test your skills by taking our latest quiz. Share the results with us and get a chance to win a copy of Professional Java Development with the S... Quiz
-
Know IT All Trivia: Application security
Test your knowledge of application security with these trivia questions. Quiz
-
SAP application security learning guide
If you're like most IT professionals, security is at the forefront of your concerns. Learn best practices for SAP security and applications security in this learning guide from SearchSAP.com and SearchAppSecurity.com. Learning Guide
-
White Papers: How to protect against SQL injection and other application attacks
SQL injection is just one exploit that can be used against Web applications -- there are many lurking out there. Fortunately, there are steps you can take now to prevent SQL injection and other attacks on your applications. These two white papers des... Resource Guide
- See More: Essential Knowledge on Software Security Test Best Practices
-
STAREAST: An interview about Test Centers of Excellence with Tom Delmonte
What exactly is a Test Center of Excellence (TCoE) and how do quality organizations go about putting one together? In this interview with STAREAST presenter and quality advocate Tom Delmonte, we find out more about TCoEs and how they can be effective... News | 27 Apr 2011
-
Building an Agile test practice: Q&A with advocates for quality
What does it take to add a test practice on top of a high-functioning Agile team? The task at Menlo Innovations was to incorporate QA into their practices. How did they do it? Matt Heusser interviews two quality advocates from Menlo Innovations to fi... News | 26 Apr 2011
-
STAREAST: Software testing with fuzzing and fault modeling -- Interview with Shmuel Gershon
The real world isn't always like a test environment. How do we test for the unexpected problems such as system faults or malicious attacks? SSQ contributor Matt Heusser talks to Shmuel Gershon, presenter at STAREAST with a talk titled, "Fuzzing and F... News | 20 Apr 2011
-
Glitch author seeks mandated software quality controls
In Part 2 of this SSQ interview with Glitch author Jeff Papows, we learn more about Papows' proposal for an IT Governance Manifesto which would mandate higher standards of quality for life-threatening software. Papows warns of the dangers of not taki... Interview | 03 Nov 2010
-
Hacking for Dummies: Ethical hacking to expose security vulnerabilities
"Hacking for Dummies," by Kevin Beaver gives detailed information about how to ethically hack into your systems to expose security vulnerabilities. In this interview with SearchSoftwareQuality.com, Beaver discusses the book, methods of security testi... Interview | 18 Oct 2010
-
Gain better software testing skills: Practice what the pros preach
CAST Conference presentation on becoming a superstar tester provides insights into ways testers can further their careers. Well-known experts Michael Bolton and Matt Heusser share thoughts on becoming a 'go-to' person and working more efficiently. Article | 03 Aug 2010
-
Microsoft hopes to redeem vulernability flaw in IE with patch
Microsoft has just announced an upcoming patch for IE 6 and 7 users suffering from any one of several vulernability issues. News | 29 Mar 2010
-
How new Web application platforms put dev/test pros' careers at risk
Rapid changes in web application development platforms, such as Ajax and Visual Studio, are causing a skills gap. Veteran software developers and testers are struggling to keep up with emerging development platform technologies that don't capitalize ... Interview | 15 Mar 2010
-
Using firewalls for software testing: Pros and cons
Network firewalls, what are the pros and cons? Software expert chimes in on how firewalls protect valued data and deter unwwanted people from gaining access to applications. News | 02 Dec 2009
-
Web application security best practices: Tips on implementation
In this video, Hugh Thompson, founder of People Security, discusses Web application security best practices and strategies. News | 03 Nov 2009
- See More: News on Software Security Test Best Practices
-
Software security: Four lessons testers should learn from Stuxnet
In this tip, security expert John Overbaugh points out four areas of security that were compromised with the Stuxnet virus: physical security, patching, design and implementation. Security testers will know better how they can prevent such a virus fr... Tip
-
Transitioning to Agile development: What about quality assurance?
It's not uncommon for QA managers and testers to feel displaced in an Agile transition. In this tip, Agile expert Lisa Crispin explains the important role of the QA manager in an Agile environment. Tip
-
CIOs and software quality assurance: Five hurdles for QA managers
Director of QA and instructor John Scarpino has provided tips for overcoming five hurdles associated with CIO expectations. Tip
-
Embedded software: Testing for the most common defects
By researching the types of bugs found in embedded software systems, Invision consultant Jon Hagar has created an embedded software error taxonomy of the most common defects in four different embedded software domain areas. Tip
-
Application development: Security that won't weaken performance
Security is important, but what happens when adding code to address security affects performance or usability? In this tip, SSQ contributor Crystal Bedell gives three best practices experts recommend for ensuring your application is secure, while sti... Tip
-
Application security: Testing for injection vulnerabilities
A top security vulnerability in Web applications is an injection attack -- one in which the Web application is tricked into treating input as if it were code, allowing a hacker to gain control of an application. In this tip, security expert John Over... Tip
-
Boost network security using firewalls, encryption and logging
Which is more important, network or application security? Well, the answer, of course, is both. In this first part of a two-part series, security engineer John Overbaugh starts by describing the differences between network and application security, a... Tip
-
Application security: Protecting application availability, data confidentiality and integrity
Network security and application security are both important in keeping your applications safe from hackers. In this tip, security engineer John Overbaugh focuses on application security, which is needed to protect the confidentiality, availability a... Tip
-
Embedded software test: Attack of the killer robots
Embedded software can be found in all devices from planes to pacemakers, but how do we test this kind of software? What are the differences between testing embedded software and traditional application software? In this tip, site editor Yvette Franci... Tip
-
Application security hardening for mobile and embedded software
With the increasing number of mobile devices and application downloads by consumers, application security is becoming more important than ever. In this tip, application hardening tools and the use of obfuscation is discussed. Industry analysts talk a... Tip
- See More: Tips on Software Security Test Best Practices
-
Social media in business: Security versus function
ALM expert Kevin Parker discusses the importance of security and offers some tips to business leaders in this response. Answer
-
Confronting security challenges facing social networking sites
According to application security expert John Overbaugh, the two top security concerns for social networking sites are application functionality and account privacy. Answer
-
Save time and trouble: Conduct security testing before production
Expert John Overbaugh provides insights into why conducting security testing early in the lifecycle is important, and explains what to test for and when. Answer
-
How to implement automated security testing in the continuous integration cycle
According to expert John Overbaugh, testers can implement automated testing to catch code security issues, and to conduct unit, acceptance and functional testing in an Agile environment. Here he explains the different types of tests and how to automa... Answer
-
Business decision making: Trade-offs between security solutions and performance
In a previous response, security expert John Overbaugh addressed the trade-offs between security and performance. Many companies face these trade-offs and struggle with the business decision. In this expert response, he addresses strategies business ... Answer
-
Security tools and application lifecycle management
Security and security tools have become more necessary to the application lifecycle, according to recent research. In this response, expert John Overbaugh discusses why security tools are essential to ALM and explains how he sees security activities ... Answer
-
Data protection for non-sensitive and sensitive information
Expert John Overbaugh defines security as confidentiality, integrity and availability of information across systems and applications. Read this response for an explanation of security concerns for all applications. Answer
-
Weighing application security strategy options
Security is frequently a trade-off between "convenience" and security. In this response, expert John Overbaugh weighs the available security strategy options with performance objectives. Answer
-
Security tester roles in secure development lifecycle (SDL)
Some people may be surprised to learn that security testers are integral to nearly every phase of the secure development lifecycle. Answer
-
Strategies for ensuring embedded software security
All software developers have ongoing challenges with application security, and embedded software is no exception. What steps can be taken to protect embedded software applications? Answer
- See More: Expert Advice on Software Security Test Best Practices
-
static verification
Static verification is the set of processes that analyzes code to ensure defined coding practices are being followed, without executing the application itself. Word
-
WebGoat: password weakness issues, basic application hacking concerns
Expert Kevin Beaver shows testers how basic application oversights can cost them dearly in this lesson on password weakness and basic hacking. Video
-
Webgoat Tutorial
Expert Kevin Beaver demonstrates some of the power and versatility of free online testing tool Webgoat. Video
-
Software Testing: How to know you're ready to start testing
In this podcast, software testing and quality assurance (QA) expert Michael Kelly gives pointers about how to know when you're ready to start testing and the critical elements of good testing processes. Podcast
-
Software security: Removing insecurity from outsourced development
In this podcast, software security expert Jack Danahy describes when and when not to outsource application development and why. Podcast
-
Web application security testing basics
Static and dynamic analysis -- manual or automated -- can help uncover Web app security flaws. Learn how to use the techniques to make sure your applications aren't open to attack. Podcast
-
Black, gray and white box testing explained -- Podcast
Security is critical when operating a Web application. Black, gray and white box tests are three tests you can conduct to ensure an attacker can't get to your application. In this podcast, Jennette Mullaney refers to information from Dan Cornell, pri... Podcast
-
How source code analysis improves application security
New application vulnerabilities are disclosed daily. Many of them, however, can be discovered and resolved through source code analysis. Learn how in this podcast with Denim Group's Dan Cornell. Podcast
-
Ajax security: A dynamic approach
Ajax security can be achieved by following the proper guidelines. In this podcast, expert Caleb Sima explains why Ajax is not inherently insecure, which tools work and which don't, and how to safely deploy Ajax. Podcasts
-
Injection attacks -- Knowledge and prevention
SQL injection is recognized as a major threat to application security, but what about other injection attacks? SPI Dynamics' Caleb Sima dissects these exploits and offers straightforward prevention techniques in this podcast. Podcasts
-
Social media in business: Security versus function
ALM expert Kevin Parker discusses the importance of security and offers some tips to business leaders in this response. Answer
-
Confronting security challenges facing social networking sites
According to application security expert John Overbaugh, the two top security concerns for social networking sites are application functionality and account privacy. Answer
-
Save time and trouble: Conduct security testing before production
Expert John Overbaugh provides insights into why conducting security testing early in the lifecycle is important, and explains what to test for and when. Answer
-
How to implement automated security testing in the continuous integration cycle
According to expert John Overbaugh, testers can implement automated testing to catch code security issues, and to conduct unit, acceptance and functional testing in an Agile environment. Here he explains the different types of tests and how to automa... Answer
-
Business decision making: Trade-offs between security solutions and performance
In a previous response, security expert John Overbaugh addressed the trade-offs between security and performance. Many companies face these trade-offs and struggle with the business decision. In this expert response, he addresses strategies business ... Answer
-
Software security: Four lessons testers should learn from Stuxnet
In this tip, security expert John Overbaugh points out four areas of security that were compromised with the Stuxnet virus: physical security, patching, design and implementation. Security testers will know better how they can prevent such a virus fr... Tip
-
Security tools and application lifecycle management
Security and security tools have become more necessary to the application lifecycle, according to recent research. In this response, expert John Overbaugh discusses why security tools are essential to ALM and explains how he sees security activities ... Answer
-
Transitioning to Agile development: What about quality assurance?
It's not uncommon for QA managers and testers to feel displaced in an Agile transition. In this tip, Agile expert Lisa Crispin explains the important role of the QA manager in an Agile environment. Tip
-
Data protection for non-sensitive and sensitive information
Expert John Overbaugh defines security as confidentiality, integrity and availability of information across systems and applications. Read this response for an explanation of security concerns for all applications. Answer
-
Weighing application security strategy options
Security is frequently a trade-off between "convenience" and security. In this response, expert John Overbaugh weighs the available security strategy options with performance objectives. Answer
- See More: All on Software Security Test Best Practices
About Software Security Test Best Practices
Software security testing verifies that the software complies with security requirements. A security test plan would specify security requirements and tests that should be performed to locate weaknesses or situations that would cause a violation of security requirements. Security testing should include testing for confidentiality, integrity, authentication, authorization, availability and non-repudiation. The security requirements should consider each of these areas and security test should be performed to verify compliance.