risk

Conference Presentations

Security Testing: Are You a Deer in the Headlights?

With frequent reports in the news of successful hacker attacks on Web sites, application security is no longer an afterthought. More than ever, organizations realize that security has to be a priority while applications are being developed-not after. Developers and QA professionals are learning that Web application security vulnerabilities must be treated like any other software defect. Organizations can save time and money by identifying and correcting these security defects early in the development process. Ryan English helps you overcome the “deer in the headlights” look when you are asked to begin testing applications for security issues. See real world examples of company Web sites that have been hacked because of vulnerable applications and see how the attacks could have been avoided.

  • Security defect categories and responsibility areas
Ryan English, SPI Dynamics Inc
Testing Windows Registry Entries

Warning: Registry keys may be hazardous to your program's health! Registry key entries in Windows applications-visible or hidden-are often neglected by testers. A registry key entry is a program feature just like any other application function and as such needs to be validated. Michael Stahl describes why registry keys should be accorded special attention during testing and proposes a strategy for mitigating risks posed by incorrect registry key entries. He suggests a test strategy, as well as coding standards for input value and type validation, default values, regeneration, and naming rules. Michael demonstrates the use of correct and incorrect registry keys in common commercial applications.

Michael Stahl, Intel Corporation
Risk: The Testers Favorite Four Letter Word

Identifying risk is important-but managing risk is vital. Good project managers speak the language of risk, and their understanding of risk guides important decisions. Testers can contribute to an organization's decision making ability by speaking that same language. Learn from Julie Gardiner how to evaluate risk in both quantitative and qualitative ways. Julie will discuss how to deal with some of the misconceptions managers have about risk-based testing including: Testing is always risk-based. Risk-based testing is nothing more than prioritizing tests. Risk-based testing is a one-time-only activity. Risk-based testing is a waste of time. And risk-based testing will delay the project.

Julie Gardiner, QST Consultants Ltd.
Secure Software is a Management Issue, Too!

Development teams are entering a new era of software development. Security will play a critical role because traditional development practices are failing in the face of poor software quality and constant hacker attacks. As a manager, you are under pressure to write more secure, higher quality software while at the same time reducing operational costs. How can you incorporate the latest in software security development practices and stay within mandated budgets? And how do you justify higher budgets in the face of uncertain security risks? Join Djenana Campara for a manager’s view of software security issues. Become more proactive in the treatment of software security vulnerabilities, and help protect your company's core assets from external security threats.

Djenana Campara, Klocwork Inc
Who is Stealing a Living off Your Web Site?

So, your company makes money from its Web site. Who else might also be doing the same? While the Web is a profitable venture for many companies, it is often equally profitable for hackers and thieves. Due to unknown vulnerabilities of your Web application, hackers may end up with more profit from your Web site than you do. See examples of hacker techniques-SQL injection, format string attacks, session-based attacks-and a host of others. Find out why the current crop of Web testing tools is not sufficient to thwart hackers and will leave you with a false and dangerous sense of security. Learn the skills and techniques you must know to stay ahead of hackers and find security holes in your Web applications.

  • Hidden Web application security vulnerabilities
  • Testing skills and techniques to find security holes and prevent breaches
  • Tools to help you with security testing Web sites
Florence Mottay, Security Innovation LLC
Navigating the Minefield - Estimating without Complete Requirements

Your team is assigned to a new project, and you've had the kickoff meeting. Now, your boss' boss sends an email to you asking for a "guesstimate" of how long and how many people-days the project will take. What do you do? Even though developers and project managers can see the futility of doing premature, fixed cost estimates prior to requirements development, the industry still demands early estimates, often before a project is even named. Based on her experiences with similar projects, Carol Dekkers offers tips and tricks that she and others have used successfully to answer these difficult questions. Find out how to provide traceability when the original estimates turn out to be as inaccurate as the unknown requirements they represent.

  • Early resource and time estimates without good requirements
  • Organizing and documenting early requirements statements
Carol Dekkers, Quality Plus Technologies Inc
Questions to Ask a Software Vendor about Security (and Verify) before Purchase

How do you choose which software vendor's product to buy? For a long time, CRM packages, ERP systems, and other commercial software selection criteria have come down to factors such as performance, compatibility, reputation of the vendor, support, and price. Security, though, has become a looming factor in the total cost of ownership and the risk of selecting one software product over another. Ed Adams describes the tough questions you need to ask vendors about security and how to extract critical information from them. Find out the steps to verify that their statements are accurate and their answers complete. With an approach for quantifying security risk before purchase, your organization will make more informed acquisition decisions.

  • A security assessment approach for purchased software packages
  • Quantifying security risk in software packages before purchase
Ed Adams, Security Innovation LLC
Reduce Risk Using Security QA Automation Techniques

Security QA testing is still in its infancy, yet the number of vulnerabilities found in applications is increasing-up by 75 percent in 2001 according to Gartner Group. Although software teams are learning about the types of coding and configuration errors that expose vulnerabilities in an application, a comprehensive QA methodology must be applied to reduce security risk. This means testers need a security policy that can serve as the basis for automated tests. Security experts can define these policies, but testers need to know how to effectively run the security tests in an automated environment to locate vulnerabilities, evaluate their results, and enter bugs for failed tests in a defect tracking system. By automating security tests, organizations can significantly reduce risk and maximize existing resource productivity.

  • Reduce the cost of development by finding security holes early in the cycle, before release
Alexander Mouldovan, Cenzic Inc
Assessing Automated Testing Tools: A "How To" Evaluation Approach

You've been assigned the task of evaluating automated testing tools for your organization. Whether it's your first experience or you're looking to make a change, selecting the "best" automated testing tool can be a daunting task. With so many toolsets available, we sometimes make decisions that don't provide appropriate functionality. This presentation takes you through a number of steps that should be understood--and addressed--prior to acquiring any regression or performance-based toolset.

  • Learn to correlate your organization's requirements and existing framework with the toolsets available
  • Examine how integrated components help to identify potential problems
  • Determine what to ask/require from each vendor before committing to a purchase
Dave Kapelanski, Compuware Corporation
Total Reliability Management- Test Automation to Production

Most companies organize their application development teams in a manner that reduces communication. However, the end result of this is that the application is released with more defects and on a delayed schedule. Total reliability management is a new approach to ensuring product quality and timely release. This presentation focuses on how quality assurance can be applied to each phase of the software development and deployment processes. Attend and learn how total reliability management can be achieved, and how your organization can benefit from it.

  • Learn why reliability can't be put in "after the fact"
  • See how production monitoring can provide extremely valuable information
  • Bridge the information gap so development teams can get valuable information from the QA and production teams
Rohit Gupta, Segue Software Inc

Pages

CMCrossroads is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.