January 2011 Monthly Meeting Summary

Topic:
Automated Software Security Testing - Presentation by Frank Hurley & Aravind Venkataraman & Sagar Dongre, Cigital Inc.

This talk introduced an automation framework from a real-world Software Security practice, including automated static & dynamic analysis to achieve continuous integration of software security, and state-of-the-art in vulnerability scanning tools. Additionally, the differences and similarities between security testing and traditional testing were outlined.

Frank Hurley is a Technical Manager with Cigital Inc. His areas of expertise include software testing and development as well as software security.

Aravind Venkataraman is a Security Consultant at Cigital Inc., where he helps financial services build Software Security programs from scratch.

Cigital, Inc. is a leading software security and quality consulting firm established in 1992, headquartered in Dulles, VA.

Took place on: Wed. January 12 2011 6:30 PM

Attendance: 14

Meeting Notes:

• The main security automation tools mentioned were AppScan (for automated vulnerability testing) and Fortify (static code analysis); both being commercial not-inexpensive products.
• There was discussion about Cigital's approach to building security into the SDLC.
• There was a mention of Microsoft Code Analysis Tool .NET (CAT.NET), a binary code analysis tool to help identify common vulnerabilities (for C#, Visual Basic .NET, J#).
• An issue with security testing is that sometimes management may not react to the results as seriously as might be desired; this is more of a problem with code analysis tools; with pen testing the impact of flaws is more apparent. Often only the critical vulnerabilities get attention.
• There was some discussion about the ability of security testing tools to handle Ajax/Javascript and some indicated that many security testing tools still were not good at handling those types of web apps.
• Security testing tools can take a long time to run - on the order of days rather than hours, depending on the size/complexity of the application(s).
• A significant issue in dealing with security testing is being effective at dealing with false positives in the test results - requires expertise and experience to be efficient in dealing with those.
• It was mentioned that often security-related requirements are unclear and not documented.
• Meeting powerpoint presentation (800 KB).

 
 
 
     NoVaTAIG Home Page

Northern Virginia Test Automation Interest Group