Software Security Testing and Code Assessment
In the past, enterprise security focused almost exclusively on the network perimeter. Enterprise security was network security: protecting the corporate network via firewalls, routers and IDS/IPS. Information lived within the confines of the corporate IT infrastructure, and attackers were focused on breaching that perimeter to gain access to information. Today, with improved perimeter security in the form of reverse proxies, stateful packet inspection firewalls, and intrusion detection and prevention system, the focus of attacks has changed. Attacks are now against software applications rather than against accessing the network per se. This is especially true with the advent of Web-based applications, but it is also true for attacks against any software that can be exploited as a stepping-stone to reach further and further inside the network. The model now is “inside-out” rather than “outside in:” have the user inadvertently download malicious software (“malware”) that then exercises vulnerabilities in other software to either 1) expose critical data, or 2) increase privileges in order to obtain a base system for further attacks.
In this course, we will focus on two critical areas of software security assessment: auditing software to determine if security vulnerabilities exist (static analysis), and then testing software to determine if additional run-time (operational) vulnerabilities exists. Auditing an application is the process of inspecting an application (either source code or binary) for vulnerabilities; in contrast, testing (whether black box or grey box) usually involves developing an attack scenario and then testing to see if the attack succeeds.
The course first will address the importance of a security development process, and demonstrate how security testing is a critical component in that process. We will focus on threat modeling techniques and patterns, and then determine how to create tests to determine that these threats have been mitigated, using a combination of case studies and lab exercises to demonstrate the effectiveness of these tests. We then will consider issues of secure deployment and secure communications once the software is delivered, and conclude with a discussion of integration of ongoing security testing within an organization's security posture.
The course is designed to support the efforts of the following individuals.
Someone who will be managing an information security department.
Someone leading a software development team for whom software security is a requirement.
Someone who is part of a QA/Test organization and needs to be aware of software security vulnerabilities and know how to develop a testing program to indicate that these vulnerabilities have been mitigated
Someone responsible for performing a software security assessment (internal or external).
At the end of the course, students will be able to:
List the steps of a security development lifecycle, and the reasons why each step is critical for software security success.
Contrast software auditing with software testing, and indicate when each technique is more effective.
Describe common software vulnerabilities, their impact on software security, and how to develop tests to uncover these flaws.
Perform tests to determine vulnerabilities