The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Risk-Based Security Testing Strategy

Course Description

Software security is a key element in your assurance and compliance strategy for protecting your applications and critical data. Organizations need applications that not only work correctly under normal use but also continue to work acceptably in the face of malicious attack. Software security testing extends beyond basic functional requirements and is a critical part of a secure software development life cycle. Risk-based security testing is about building confidence that attackers cannot turn security risks into security problems. This course teaches you to think like an attacker when testing your applications.

Learning Objectives

  • Develop a white box testing strategy based on real-world risks to improve where and how testing resources can be focused
  • Describe how to use architecture risk analysis and abuse case artifacts to enhance test plans
  • Use knowledge of common software errors to develop test cases that expose them
  • Strategize ways to integrate risk-based security testing into your SDLC

Details

Delivery Format: eLearning

Duration: 1 hour 15 minutes

Level: Intermediate

Intended Audience:

  • Front-End Developers
  • Back-End Developers
  • QA Engineers

Prerequisites: 

Course Outline

Introduction to Risk-Based Security Testing

  • The Key Players
  • The Software Security Discipline
  • What Is Software Security?
  • Two Broad Classes of Security Defects
  • Security Testing
  • Testing Security Functionality
  • Managing Risks
  • Defining What Security Means for You

Defining Requirements

  • Requirements
  • Functional Requirements
  • Non-Functional Requirements
  • Derived Requirements
  • Attributes of Good Requirements
  • Security Requirements, not Security Features
  • Security Requirement Types
  • Non-functional Security Requirements
  • Derived Security Requirements
  • Thinking Backwards
  • Automated Teller Machine: A Scenario
  • Security Requirements

Getting Started

  • Where Do I Start?
  • Risk-Based Security Testing Process
  • Security Goals
  • Guiding Principles for Secure Design
  • Risk Classifications
  • Putting It All Together

Testing Strategies

  • Adding Risk-Based Security Testing
  • Integrating the RBST Process
  • Using Threat Models
  • Using Architecture Risk Analysis Results
  • Using Abuse Cases
  • What Are You Accomplishing?
  • Effective Testing

Resourcing and Players

  • Testing Tools
  • Think Like an Attacker
  • Who Are You Up Against?

Common Risk Areas: Part 1

  • Security Coding Error Test Approach
  • Kingdom 1: Input Validation and Representation
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Kingdom 2: API Abuse
  • Ignoring Return Values
  • Using Deprecated Methods
  • Kingdom 3: Security Features
  • Privacy Violation
  • Default Authentication
  • Privilege Abuse
  • Handling Secrets

Common Risk Areas: Part 2

  • Kingdom 4: Time and State
  • Parameter Tampering
  • URL Tampering
  • Cookie Tampering
  • Kingdom 5: Errors
  • Exception Handling
  • Triggering Errors
  • Kingdom 6: Code Quality
  • Memory Leaks
  • Source Code Comments and Strings
  • Kingdom 7: Encapsulation
  • Violations of Boundaries Between Components
  • Violations of Data Trust Levels

Going Forward

  • Trying It All Together
  • Your Judgment Is Crucial
  • Challenges in Adopting Software Security Testing
  • Software Security Framework
  • A Software Security Roadmap
  • Mature Over Time
 

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster