LOGIN | REGISTER NOW | SUBSCRIBE
 

Call is out to bring security testing into the QA process


By Robin 'Roblimo' Miller
Email    print   
April 18, 2008 —  SAN MATEO, Calif. — Testing the security of software applications should be part of the process of developing the software, not an afterthought. But one security analyst says that’s easier said than done.

Danny Allan, an IBM security researcher, made the case for advancing security research for software applications at the Software Test & Performance Conference April 16.

Allan argued, citing Gartner research, that while 75% of IT attacks are targeted at applications, 90% of IT security spending goes to securing the network, not the applications.

For instance, 86% of Web application attacks use cross-site scripting, Allan explained, which allows an attacker to inject malicious code through a Web application and potentially subvert access controls.

Heading off cross-site scripting or other vulnerabilities requires testing the security of the application at the same time that developers are testing the functionality of the application, he said. Security should be integrated into the quality assurance phase of development and security defects should be logged along with other defects discovered in the process. Regression testing, used to determine how changes in a program may create bugs, should also be used to reveal security bugs.

“Security issues are nothing more than code quality issues,” Allan emphasized.

Yet at least one conference attendee said some organizations are set on a traditional process of developing the software, then testing it for security, and are hard to change.

“I’m the first one to talk about it,” said David Craft, a security analyst with the California Employment Development Department, which distributes unemployment benefits in the state.

“Security needs to be deeper in the process,” Craft said, but to others in his department, “It’s all brand new.”

Microsoft’s WCF Security Guidance Project is also developing a set of best practices that include security testing of applications using Windows Communication Foundation, a .NET-based programming framework. The project’s home page is hosted by the company’s CodePlex Web site.

The WCF 3.5 Security Guidelines, released this month, offer tips for developing and maintaining the security of .NET applications, according to a blog posting by J.D. Meier, a Microsoft software engineer.

“Customers find the guidelines help them cut through a lot of information and take action,” Meier wrote.

If organizations continue to test security features only after the application has been completed, said IBM’s Allan, “We will always be chasing a train that has long ago left the station.”

The Software Test & Performance Conference, held April 15-17, was hosted by BZ Media Inc., which also publishes SD Times.




Related Search Term(s): IBM, QA testing


Share this link: http://sdt.bz/32054
 
Most Read Latest News Blog Resources
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
Illumination Software Creator 4.2 adds 'Portal Blocks'
Radical Breeze today released version 4.2 of Illumination Software Creator for Linux, MacOS X and Windows
Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter


Add comment


Name*
Email*  
Country     


  • Comment
Loading




close
NEXT ARTICLE
Open-source tools take hold in test/QA market
Last year, the testing market saw open-source tools like HtmlTestCase, STAF and Systir emerge, a marked increase over other years. Established companies also updated their testing/QA software Read More...
 
 
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 

Download Current Issue
FEBRUARY 2012 PDF ISSUE

Need Back Issues?
DOWNLOAD HERE

Want to subscribe?


 
blogs tab
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
02/09/2012 02:16 PM EST

Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
02/07/2012 11:57 AM EST

RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
02/04/2012 01:57 PM EST

GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
02/03/2012 12:17 PM EST

Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.
02/02/2012 08:26 AM EST

Ryan Dahl steps down
Ryan Dahl, creator of Node.js, steps back from his position as gatekeeper for the project.
02/01/2012 04:58 PM EST

 
Events calendar tab
Cloud Connect
2/13/2012 to 2/16/2012
Santa Clara
TechWeb

SPTechCon: The SharePoint Technology Conf.
2/26/2012 to 2/29/2012
San Francisco
BZ Media

RSA Conf.
2/27/2012 to 3/2/2012
San Francisco
RSA

IBM Pulse Conf.
3/4/2012 to 3/7/2012
Las Vegas
IBM Tivoli

Game Developer Conf.
3/5/2012 to 3/9/2012
San Francisco
TechWeb