Presentation is loading. Please wait.

Presentation is loading. Please wait.

The role of the test organization in a Security Sensitive project

Published byAnna Lang Modified over 5 years ago

Similar presentations

Presentation on theme: "The role of the test organization in a Security Sensitive project"— Presentation transcript:

1 The role of the test organization in a Security Sensitive project
Ariel Cymberknoh QA & Test Conference Bilbao October 2018

2 CSME - Converged Security & Manageability Engine
The role of the test organization in a Security Sensitive project CSME - Converged Security & Manageability Engine Micro Runtime (JVM) DAL Internal API Ariel Cymberknoh – QA & Test conference – October 2018

3 The role of the test organization in a Security Sensitive project
Development Validation/Testing Security Assurance Ariel Cymberknoh – QA & Test conference – October 2018

4 Security Transformation
The role of the test organization in a Security Sensitive project Security Transformation Recover SW/FW update, Customer engagement SDL = Security Development Lifecycle Used and proposed by Microsoft* Widely adopted industry standard In a Glance: S1  Architecture Review S2  Design Review S3  Code Review S4  Security and Penetration testing Protect Advanced Mitigations (CET, Stack Canaries etc.) Isolation, minimal Privilege, ARB Detect Advanced Code analysis, AFL, Advanced Flow reviews, External Reviews, Red Team Secure Code S0/S1/S2/S3/S4- SDL Architecture and design changes Org Decision to Transform Prioritize security, Mindset, accountability, Practices, Award, Training, *Trade names are the ownership of the relevant companies Ariel Cymberknoh – QA & Test conference – October 2018

5 The role of the test organization in a Security Sensitive project
Development Validation/Testing Security Assurance Ariel Cymberknoh – QA & Test conference – October 2018

6 The role of the test organization in a Security Sensitive project
Development Validation/Testing Security Assurance Difficult to recruit Retention issues  + CO$T Ariel Cymberknoh – QA & Test conference – October 2018

7 The role of the test organization in a Security Sensitive project
Testing/Validation Teams: Functional testing Advanced testing: Negative Corner Cases Stress/Reliability Performance Certification Usability Compatibility Manual / Automated testing Security Assurance Teams: Security Research Security Architecture Architecture Review Design Review Code Review Static Code Analysis tools Manual Code review Penetration Testing Commercial Fuzzers In house developed Fuzzers “Standard” hacking techniques Advanced hacking techniques Ariel Cymberknoh – QA & Test conference – October 2018

8 The role of the test organization in a Security Sensitive project
Testing/Validation Teams: Functional testing Advanced testing: Negative Corner Cases Stress/Reliability Performance Certification Usability Compatibility Manual / Automated testing Security Assurance Teams: Security Research Security Architecture Architecture Review Design Review Code Review Static Code Analysis tools Manual Code review Penetration Testing Commercial Fuzzers In house developed Fuzzers “Standard” hacking techniques Advanced hacking techniques Ariel Cymberknoh – QA & Test conference – October 2018

9 The role of the test organization in a Security Sensitive project
Fuzzing or fuzz testing: Is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with. For the purpose of security, input that crosses a trust boundary is often the most interesting. Source: Wikipedia Ariel Cymberknoh – QA & Test conference – October 2018

10 The role of the test organization in a Security Sensitive project
Fuzzing or fuzz testing: Phase 1: Test Team only deals with the tools’ execution Enable massive production execution Phase 2: Test team participates in the tool’s development Phase 3: Test team handles also the debugging and triage of issues found by the tools Phase 4: Test team autonomously decides and selects which tools to use Ariel Cymberknoh – QA & Test conference – October 2018

11 The role of the test organization in a Security Sensitive project
Validation engagement in Security activities: Mindset, mindset, mindset! Training Identifying security champions within the sub-teams 1st phase: Security Assurance team keeps “complex” areas. 2nd phase: Validation team takes over 1st phase: Security Assurance team indicates “what” security testing to implement in new requirements. Validation develops the tests and execute. 2nd phase: Validation team takes over also the test strategy definition. Utilize Existing test cases and modify them into security ones Participate actively in security hackathons Recognize the work of validation people contributing to security activities Treat security bugs as top priority Ariel Cymberknoh – QA & Test conference – October 2018

12 The role of the test organization in a Security Sensitive project
Summary: Security Assurance teams are expensive, not scalable Organizations need to know how to offload part of their tasks into the Design and the Test teams Taking over Security tasks in validation teams takes time and should be done gradually Need managerial commitment and a profound change of mindset! Ariel Cymberknoh – QA & Test conference – October 2018

13 The role of the test organization in a Security Sensitive project
THANK YOU! Ariel Cymberknoh – QA & Test conference – October 2018

Download ppt "The role of the test organization in a Security Sensitive project"

Similar presentations

Configuration Management

Configuration Management
By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.

By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.

Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
01.02.20061 APPLICATION DEVELOPMENT BY SYED ADNAN ALI.

APPLICATION DEVELOPMENT BY SYED ADNAN ALI.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Quality Assurance and Testing CSE 403 Lecture 22 Slides derived from a talk by Ian King.

Quality Assurance and Testing CSE 403 Lecture 22 Slides derived from a talk by Ian King.
Software Testing easylearn9@gmail.com Prasad G.

Software Testing Prasad G.
Chapter 13 & 14 Software Testing Strategies and Techniques

Chapter 13 & 14 Software Testing Strategies and Techniques
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
MSDN Webcast - SDL Process. Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security

MSDN Webcast - SDL Process. Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security
OOSE 01/17 Institute of Computer Science and Information Engineering, National Cheng Kung University Member:Q76001074 薛弘志 P76014020 蔡文豪 F74982155 周詩御.

OOSE 01/17 Institute of Computer Science and Information Engineering, National Cheng Kung University Member:Q 薛弘志 P 蔡文豪 F 周詩御.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Trend Quality Assurance Edward Tsai 蔡木本 趨勢科技全球軟體研發部協理 April 22, 2003.

Trend Quality Assurance Edward Tsai 蔡木本 趨勢科技全球軟體研發部協理 April 22, 2003.
Test Organization and Management

Test Organization and Management
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
The Trustworthy Computing Security Development Lifecycle Steve Lipner Director of Security Engineering Strategy Security Business and Technology Unit.

The Trustworthy Computing Security Development Lifecycle Steve Lipner Director of Security Engineering Strategy Security Business and Technology Unit.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Similar presentations

Ads by Google