Post on 26-Mar-2015
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Application Security and TestingTest Management Summit
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
TSE managing director Tomio Amano blamed the glitch on a software upgrade for processing data from securities companies which was introduced in October
Application Security - Who Cares?
From The Times
December 3, 2007
Secrets of Shell and Rolls-Royce come under attack from China’s spies
James Rossiter
Rolls-Royce and Royal Dutch Shell have fallen victim to Chinese espionage attacks, The Times has learnt.
Sustained spying assaults on Britain’s largest engineering company and on the world’s second-biggest oil multinational occurred earlier this year as part of a campaign to obtain confidential commercial information, sources said
40M creditcards hacked
Breach at third party payment processor affects 22 million Visa
cards and 14 million MasterCards.June 20, 2005: 3:18 PM EDT By Jeanne Sahadi, CNN/Money senior writer
10.15 – 10.25 10m 2 of 9
HP Confidential3 April 10, 2023
Application Security is the weakness of Security
HP Confidential
Web Application Vulnerabilities on the Rise
4
• Web is easiest entry point− Networks are secure.
Hackers know Web applications are not.
• Organizations under pressure− More Web applications− More regulatory
requirements− More customer & partner
demands− More pressure from
shareholdersSources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database.
Growth of Web Application Vulnerabilities
HP Confidential
What are organizations doing about these threats?
5
Leading organizations secure the lifecycle
•92% of security defects exist in the application
•Save $$ by fixing security defects before they get to production
1 X
Development
6.5X
Testing
15X
100X
Design Deployment
HP Confidential6
Challenge of Building a Scalable Security Program
HP Confidential
Tools available today to support application security quality issues
• Source code analysis −static review of application vulnerabilities at the code phase
−Find and fix
• Security testing tools−Functional validation of security requirements
−Some integrated with test management solutions
−Remedial updates to cover new threats
• Post deployment security −Penetration testing as an ongoing preventative measure
−Regular updates and re-test imperative
HP Confidential
Points to consider
• Where does security fit in to the application lifecycle?• What is your security policy ?
−how do you consider it when approaching software quality?
• Should quality be considered only at the testing stage?−What about pre and post testing?
• Internal vs external security – −Where are the vulnerabilities in your org?−People?−Applications?−Data?
• Is there enough awareness of this issue within your org−Application vulnerabilities account for 75% of all issues
HP Confidential
Open to the floor
• Security testing experiences−What works well
• Why?−Challenges
• How can they be overcome?Who is responsible?
Does it have to become front line news before it is taken seriously?
HP Confidential