Faster DevOps processes also create new challenges. It was difficult enough to add security into a traditional waterfall software development lifecycle with monthly or quarterly releases, but now software updates are released several times a day! What can developers do to build and maintain more secure applications? Here are some ways to encourage better security practices throughout the DevOps lifecycle.
Penetration testing is a method of evaluating the security of a system by maliciously attacking it and analyzing its possible weaknesses. Penetration testing uses a suite of tests, generally performed in a gray-box fashion, to attack the system as real attackers would-approaching the system with attacker eyes, knowledge, skills, and tools. Edward Bonver explains why and how penetration testing should be done on any mission-critical system as part of a comprehensive security testing strategy. He describes the factors that influence the success of penetration testing include testing environment readiness, technical information, and the availability of the product teams’ key contacts. You’ll learn the details behind penetration testing, common approaches, testing options, and best practices.
Compared to traditional functional testing, security testing requires testers to develop the mindset of real attackers and pro-actively look for security vulnerabilities throughout the software development lifecycle. Using live demos, Frank Kim shows you how to think-and act-like a hacker. Rather than just talking about issues such as Cross Site Scripting (XSS), SQL Injection, and Cross Site Request Forgery (CSRF), Frank shows-live and in color-how hackers abuse potentially devastating defects by finding and exploiting vulnerabilities in a live web application. Find out how attackers approach the problem of gaining unauthorized access to systems. Discover the tools hackers have that you don't even know exist and how you can find critical security defects in your production apps. In this revealing session, you'll learn how to become a better tester and find serious security vulnerabilities in your systems before the bad guys do.
Mobile devices-connected to the world through the Internet, web, networks, and messaging-are everywhere and expanding rapidly in numbers, functionality, and, unfortunately, security threats. Not too many years ago, little attention was paid to mobile device security. Now, we hear reports almost daily of phone emails/messages being hacked, apps with worms, phishing via smart devices, and smart device fraud. People often have their records, personal data, and financial records on or accessible by the mobile device. In addition, organizations are using these devices to conduct critical business. Jon Hagar shares and analyzes case histories and examples of mobile application security failures. Based on this analysis, Jon summarizes these attacks and describes how to expose security bugs within these devices.
To ensure the quality and safety of Web applications, security testing is a necessity. So, how do you cover all the different threats-SQL injection, cross-site scripting, buffer overflow, and others? James Knowlton explains how Ruby combined with Watir-both freely available-makes a great toolset for testing Web application security. Testing many common security vulnerabilities requires posting data to a Web server via a client, exactly what Watir does. The Ruby side of Watir, a full-function programming language, provides the tools for querying the database, checking audit logs, and other test-related processing. For example, you can use Ruby to generate random data or large datasets to throw at a Web application. James describes common security attacks and demonstrates step-by-step examples of testing these attack types with Ruby and Watir.