As a software developer we need to always make sure we are testing our code with unit testing, integration testing and manual testing. One important part of testing is understanding how security concerns should impact your testing of your code. That is why I like to attend our local Quality Assurance meetings.
The Des Moines Area Quality Assurance Association(DMAQAA) recently had David Nelson from Integrity Technology Systems come speak about Application Development Security. David began by talking about the types of Testing and Evaluation. Passive Testing is similar to “knocking on doors and seeing if the door is locked.” This is the least intrusive or dangerous, and you are just reporting only what you see or find. This is easy to automate and considered a safe scan.
In Active Testing they attempt to expose any system vulnerabilities. This also can be automated, but David pointed out a caveat to this. Active Testing can bring systems down. He prefers to do this in a non-production system, although some companies and organisations don’t have another option.
The next topic discussed was Vulnerability Scanning. They scan an application or host looking for vulnerabilities such as the following three:
- Software Bugs
- Input Validation
- Configuration or Syntax Errors
Vulnerability Scanning has a high false positive rates so each identification will need some manual validation. I know this from experience. Working at Dice on HealthCallings.com we would have yearly vulnerability scan from an outside vendor. We would have to review all findings to validated they were actually an issue. Once we had validated the issues in the scan we would triage them to determine if it needed to be fixed right away or could wait.
Penetration Testing was next, this is used to validate reports of vulnerabilities although this typically an intrusive process. This type of testing requires awareness and intelligence. David warned us against automating this type of testing. He shared stories of this causing issues that customers were not happy with. David spoke about Binary Analysis next. He describe how this type of analysis actually steps through the source code to find back-doors and time-bombs.
From there he began to compare Internal and External Testing. With Internal Testing the testing team has direct access to the internal network. The testing will cover the Application, Application Server, Database and Operating Systems. External Testing is not on the internal network and tries to penetrate the network as well various types of injection such as SQL Injection or Cross Site Scripting (XSS).
Overall David covered a lot more ground. He is a Security professional and it shows. For anyone involved in Information Technology it is good to have an understanding of numerous security aspects. You never know when this could come in handy to solve a issue or prevent one.
If you enjoyed this please share this and don’t forget to subscribe to our newsletter.