The online community for software testing & quality assurance professionals
 
 
Calendar   Today's Topics
Sponsors:
Lost Password?

Home
BetaSoft
Blogs
Jobs
Training
News
Links
Downloads
You are not logged in. [Login] Main Index · Search · Active Topics
New user · Who's Online · FAQ · Calendar

Software Testing >> Security Testing
Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  

Pages: 1
TShark
Newbie


Reged: 07/11/10
Posts: 1
Security Testing: how to start and plan
      #634160 - 07/11/10 05:09 AM

Hello All,

After 4 years of work I've decided to change the profile of functional testing for security one (now only for web-apps). Armed with OWASP Testing Guide v3 and O'Reilly Web Security Testing Cookbook, I trained using WebGoat, but on interviews the people are interested in more general things described in the Subj.

How to Start:
- Analysis of the application
  - Determine the technologies used.
  - How many layers?
  - Determine at what stage of SDLC now.
- Examine what techniques can be applied
  - Manual research and interviews.
  - Threat modeling.
  - Review source.
  - Penetration test.

Then we write test cases, run them and post defects?
How to plan correctly?


Thanks in advance.

Post Extras: Print Post   Remind Me!   Notify Moderator  
sekharg4u
Newbie


Reged: 08/28/08
Posts: 16
Re: Security Testing: how to start and plan [Re: TShark]
      #634427 - 07/13/10 04:38 AM


Hi shark,

One suggestion from my side is keep this skill as additional to existing skill.For Security Testing u need to put more effort to know the technologies.
- Analysis of the application
This is common to every testing activity.Here only change is u need to concentrate on negative requirements.
- Determine the technologies used.
u need to understand the controls,validation process and configuration of the technologies(here we need developer help more).
- How many layers?
it depends on the application.Generally cliens,webserver,application server and database.
- Determine at what stage of SDLC now.
It depends on the criticality of the application.suppose for the applications like banking and finance we need to start from early stages.generally after functional testing we start the security testing.
- Examine what techniques can be applied
we can follow Threat modeling..
- Manual research and interviews.
It comes with exp..
- Threat modeling.
Threat modeling follows diff phases like
1) understand the application
2)split the application
3)identify the vulnerabilities
4)map the vulnerabilities to risks
5)do the penetration testing
6)analysis and reporting
- Review source.
it completely developers work.
- Penetration test.
execute the identified vulnerabilities

Best of luck for your future as a security tester

Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1


Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  

Extra information
0 registered and 5 anonymous users are browsing this forum.

Moderator:  icruiser, AJ, Walen 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 451

Rate this topic

Jump to

Contact Us | Privacy statement SQAForums

Powered by UBB.threads™ 6.5.5