Email Alerts
-
Jump-start software testing and quality assurance
Developing effective, efficient software involves much more than coding. There is a whole host of management and teamwork considerations that can make or break a development or quality assurance project, but identifying and implementing best practice... E-Handbook
-
An application security guide for software testers
This guide explains what's involved in addressing application security form a software tester's perspective by presenting common threats and strategies to deal with them. Tutorial
-
A software tester's application security guide
This application security testing guide is custom tailored to fit the needs of software quality professionals and application testers. App Security Tutorial
-
Security testing basics: QA professionals take the lead
QA professionals should take the lead on security testing basics. Their big-picture view of an application helps them find and protect valuable data. Feature
-
Security lesson: Beating web application security threats
Explore the importance of Web application testing processes and find suggestions on best practices with a webcast on scanning and testing Web application security, a podcast on security testing and a tip on Web application best practices in this less... Tutorial
-
Security lesson: How to test for common security defects
In this security defects lesson, information security expert Kevin Beaver explores the underlying causes of gaps in the software testing process and offers suggestions on what can be done to fix this problem once and for all. Tutorial
-
Common software security oversights school
Common software security oversights can cause weaknesses you cannot afford to overlook. Kevin Beaver will share with you just what you need to know in order to find the most Web security vulnerabilities that are important in your environment and spe... Tutorial
-
Web application security -- How to prevent attacks
The battle against hackers is a difficult one. This guide introduces you to popular Web application attacks and provides tips, techniques and advice for keeping the bad guys out. Guide
-
PCI DSS compliance: The basics
PCI DSS requires merchants to employ basic application security techniques in order to be in compliance. Here is an overview of PCI DSS and requirement 6.6. Learning Guide
-
PCI DSS compliance: Code review
Code review is a broad security concept and those looking at this option for compliance will find plenty of expert information on the types of code review in this section of the guide. Learning Guide
-
PCI DSS compliance: Web application firewalls (WAFs)
Web application firewalls (WAFs) are one option for those seeking compliance with requirement 6.6 of the PCI DSS. The benefits, limitations and proper implementation of WAFs are discussed by security experts in this section. Learning Guide
- See more Essential Knowledge on Software Security Test Best Practices
-
New skills for the QA tester: Scripting, security
Software quality assurance is gaining respect as a profession -- but do QA testers have the scripting and security skills the role now requires? Quality Time | 17 May 2013
-
Software lifecycle: App security still struggling to find a fit
For 10 years, application security has struggled find its place in the software lifecycle. We're still not there. Why has it taken so long? Quality Time | 20 Mar 2013
-
Top ten mobile application threats to enterprise security
Check out the top ten threats presented by enterprise mobile applications, according to the OWASP Mobile Security Project. Photo Story | 19 Feb 2013
-
Code signing: Stamp of approval for Android and iOS apps
Code signing aims to keep malicious code out of mobile apps by verifying where the code came from. News | 16 Jan 2013
-
STAREAST: An interview about Test Centers of Excellence with Tom Delmonte
What exactly is a Test Center of Excellence (TCoE) and how do quality organizations go about putting one together? In this interview with STAREAST presenter and quality advocate Tom Delmonte, we find out more about TCoEs and how they can be effective... News | 27 Apr 2011
-
Building an Agile test practice: Q&A with advocates for quality
What does it take to add a test practice on top of a high-functioning Agile team? The task at Menlo Innovations was to incorporate QA into their practices. How did they do it? Matt Heusser interviews two quality advocates from Menlo Innovations to fi... News | 26 Apr 2011
-
STAREAST: Software testing with fuzzing and fault modeling -- Interview with Shmuel Gershon
The real world isn't always like a test environment. How do we test for the unexpected problems such as system faults or malicious attacks? SSQ contributor Matt Heusser talks to Shmuel Gershon, presenter at STAREAST with a talk titled, "Fuzzing and F... News | 20 Apr 2011
-
Glitch author seeks mandated software quality controls
In Part 2 of this SSQ interview with Glitch author Jeff Papows, we learn more about Papows' proposal for an IT Governance Manifesto which would mandate higher standards of quality for life-threatening software. Papows warns of the dangers of not taki... Interview | 03 Nov 2010
-
Hacking for Dummies: Ethical hacking to expose security vulnerabilities
"Hacking for Dummies," by Kevin Beaver gives detailed information about how to ethically hack into your systems to expose security vulnerabilities. In this interview with SearchSoftwareQuality.com, Beaver discusses the book, methods of security test... Interview | 18 Oct 2010
-
Gain better software testing skills: Practice what the pros preach
CAST Conference presentation on becoming a superstar tester provides insights into ways testers can further their careers. Well-known experts Michael Bolton and Matt Heusser share thoughts on becoming a 'go-to' person and working more efficiently. Article | 03 Aug 2010
- See more News on Software Security Test Best Practices
-
Tips for database testing from the cloud
What is database testing and how is it important to your application and the company? Get tips to effectively test when data is hosted in the cloud. Tip
-
Software development cycle best practice: Threat modeling
Early in the software development cycle ask, Who might attack the application? How would they do it? What are they after? This is threat modeling. Tip
-
Hybrid security: Beyond pen testing and static analysis
Securing an application's attack surface takes more than pen testing and code analysis. Kevin Beaver explains the hybrid security analysis approach. Tip
-
Software testing lifecycle: Dealing with security
Security is an essential part of the software testing lifecycle, yet many test pros shy away from it. Yvette Francino offers help on getting started. Tip
-
Mobile app software: Avoid the perpetual cycle of insecurity
The same security flaws that plague desktop and Web apps are now afflicting mobile app software. Here's how to stop making the same mistakes. Tip
-
Ten steps to better application security testing strategies
Address app testing strategy concerns at each stage of the application lifecycle and learn about tools and techniques to boost security. Tip
-
Secure Code: Why buffer overflows still matter
To secure code, software pros test for buffer overflows -- even though these flaws occur only in nonmemory-managed languages such as C and C++. Tip
-
Mobile app security advice: Err on the side of protection
Apps running on mobile devices demand a high level of security. Experts offer advice and techniques on implementing mobile app security effectively. Tip
-
Integrating secure coding into the Agile lifecycle
It is possible to develop applications in the Agile lifecycle while minimizing security vulnerabilities, according to application security expert John Overbaugh. Tip
-
Preventing security attacks using the Enterprise Security API (ESAPI)
Security expert John Overbaugh explores solutions and strategies that are relatively easy to implement and that prevent some of the most common attacks in part two of this two-part article. Tip
- See more Tips on Software Security Test Best Practices
-
Mobile apps development: New threats or same security rules apply?
Two security experts get up on their soap box about the steps software teams should take to secure applications throughout the apps' lifecycle. Answer
-
Code signing: Why it matters for mobile developers
Code signing creates a system of trust among mobile users, but it doesn't bolster the security of the app itself, says expert Dan Cornell. Answer
-
Do in-house testers beat an outsourced security testing service?
Security testing is very specialized. Is it better to outsource this effort or should in-house testers be responsible for security testing? Answer
-
Does completing a PCI compliance checklist ensure security?
PCI DSS guidelines are a good place to start, but checking off boxes on the PCI compliance checklist will not ensure your organization is secure. Answer
-
Can security support help developers write code?
At best, development frameworks support the creation of secure code. They do not, however, prevent the creation of insecure code. Answer
-
Application security plan: Who is responsible for testing?
Step one in devising an application security plan is determining whether the development team or the security group is responsible for testing. Answer
-
Stamp out XSS cross scripting vulnerabilities with proactive measures
Cross-site scripting -- XSS cross scripting -- vulnerabilities and SQL injection attacks are problems for Web app security. Learn to curb these risks. Answer
-
Prioritizing security concerns in a complex software testing market
Expert John Overbaugh identifies the three top concerns of the test manager and offers advice on how to stay ahead of the curve when it comes to security and compliance. Answer
-
How software testing managers can ensure security compliance
While security may be everyone’s job, the software testing manager holds particular responsibilities to ensure security requirements are met. Answer
-
Social media in business: Security versus function
ALM expert Kevin Parker discusses the importance of security and offers some tips to business leaders in this response. Answer
- See more Expert Advice on Software Security Test Best Practices
-
destructive testing
Destructive testing is a software assessment method used to find points of failure in a program. Definition
-
exploratory testing
Exploratory testing is an approach to software assessment that integrates learning about the program with designing the test and conducting the testing processes. The simultaneous process ensures that developers have a more comprehensive understandin... Definition
-
static verification
Static verification is the set of processes that analyzes code to ensure defined coding practices are being followed, without executing the application itself. Definition
-
What's ailing enterprise software security management?
Enterprise application security testing means not only finding security vulnerabilities, but tracking them down and putting an end to them. Video
-
Top ten threats to mobile enterprise security
OWASP's list of the top ten mobile security risks sheds light on mobile enterprise security concerns that all mobile app testers should be aware of. Photo Story
-
WebGoat: password weakness issues, basic application hacking concerns
Expert Kevin Beaver shows testers how basic application oversights can cost them dearly in this lesson on password weakness and basic hacking. Video
-
Webgoat Tutorial
Expert Kevin Beaver demonstrates some of the power and versatility of free online testing tool Webgoat. Video
-
Software Testing: How to know you're ready to start testing
In this podcast, software testing and quality assurance (QA) expert Michael Kelly gives pointers about how to know when you're ready to start testing and the critical elements of good testing processes. Podcast
-
Software security: Removing insecurity from outsourced development
In this podcast, software security expert Jack Danahy describes when and when not to outsource application development and why. Podcast
-
Web application security testing basics
Static and dynamic analysis -- manual or automated -- can help uncover Web app security flaws. Learn how to use the techniques to make sure your applications aren't open to attack. Podcast
-
Black, gray and white box testing explained -- Podcast
Security is critical when operating a Web application. Black, gray and white box tests are three tests you can conduct to ensure an attacker can't get to your application. In this podcast, Jennette Mullaney refers to information from Dan Cornell, pri... Podcast
-
How source code analysis improves application security
New application vulnerabilities are disclosed daily. Many of them, however, can be discovered and resolved through source code analysis. Learn how in this podcast with Denim Group's Dan Cornell. Podcast
-
Ajax security: A dynamic approach
Ajax security can be achieved by following the proper guidelines. In this podcast, expert Caleb Sima explains why Ajax is not inherently insecure, which tools work and which don't, and how to safely deploy Ajax. Podcasts
- See more Multimedia on Software Security Test Best Practices
-
New skills for the QA tester: Scripting, security
Software quality assurance is gaining respect as a profession -- but do QA testers have the scripting and security skills the role now requires? Quality Time
-
Tips for database testing from the cloud
What is database testing and how is it important to your application and the company? Get tips to effectively test when data is hosted in the cloud. Tip
-
Software development cycle best practice: Threat modeling
Early in the software development cycle ask, Who might attack the application? How would they do it? What are they after? This is threat modeling. Tip
-
Mobile apps development: New threats or same security rules apply?
Two security experts get up on their soap box about the steps software teams should take to secure applications throughout the apps' lifecycle. Answer
-
Code signing: Why it matters for mobile developers
Code signing creates a system of trust among mobile users, but it doesn't bolster the security of the app itself, says expert Dan Cornell. Answer
-
Hybrid security: Beyond pen testing and static analysis
Securing an application's attack surface takes more than pen testing and code analysis. Kevin Beaver explains the hybrid security analysis approach. Tip
-
An application security guide for software testers
This guide explains what's involved in addressing application security form a software tester's perspective by presenting common threats and strategies to deal with them. Tutorial
-
A software tester's application security guide
This application security testing guide is custom tailored to fit the needs of software quality professionals and application testers. App Security Tutorial
-
Software testing lifecycle: Dealing with security
Security is an essential part of the software testing lifecycle, yet many test pros shy away from it. Yvette Francino offers help on getting started. Tip
-
Do in-house testers beat an outsourced security testing service?
Security testing is very specialized. Is it better to outsource this effort or should in-house testers be responsible for security testing? Answer
- See more All on Software Security Test Best Practices
About Software Security Test Best Practices
Software security testing verifies that the software complies with security requirements. A security test plan would specify security requirements and tests that should be performed to locate weaknesses or situations that would cause a violation of security requirements. Security testing should include testing for confidentiality, integrity, authentication, authorization, availability and non-repudiation. The security requirements should consider each of these areas and security test should be performed to verify compliance.