March 12, 2009

Improving Application Security while Testing Software

Posted in software testing at 1:22 am by mknight1130

Today, I went to the talk Security Testing: How it fits in the QA Cycle “ sponsored by the Software Association of Oregon (SAO). The talk focused on software vulnerabilities, particularly around web applications and how to catch these before a product is released. Much of the emphasis about security has been towards network security (e.g. building more effective firewalls). But, less emphasis has been placed on securing individual software programs, leaving them vulnerable to people populating input fields with malicious code. This code can sometimes be stored and execute functions as if it were the trusted application (e.g. a program that searches bank data and transfers money without the bank or respective customer’s knowledge). Thanks to the speakers Mike Hryekewicz and Brandon Edwards, I along with many other audience members had our eyes opened to software security risks and ways to address these as testers. Here are some helpful resources that provide additional information.

The first site is Open Web Application Security Project (OWASP) at . OWASP is a non-profit organization deigned to make security issues visible so that businesses can make appropriate decisions. A wide range of projects, videos, conferences, downloads and articles appear on the site. The site is also available in Spanish. This resource is mainly geared towards training developers and software testers. OWSAP provides a useful application, WebGoat, to give developers and testers hands on training with a sample web application with security gaps. For the novice, the OWSAP Educational Project presents monthly meeting and presentations to download. The PowerPoint presentation “Education Module: Why WebAppSec Matters.ppt” provides a simple and chilling overview of where website attacks are happening and what needs to be done.

The second site, OnGuard Online at provides helpful tips on protecting information when interacting with the Internet and tips on how to deal with information when it has been compromised. This site is maintained by the federal government. Games, Topics and videos provide a multi-faceted approach to learning about Internet Security.

As a software tester and a concerned consumer, I plan on visiting both the Open Web Application Security Project (OWASP) and the OnGuard Online sites frequently.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: