HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Call is out to bring security testing into the QA process

By Robin "Roblimo" Miller

April 18, 2008 —

SAN MATEO, Calif. — Testing the security of software applications should be part of the process of developing the software, not an afterthought. But one security analyst says that’s easier said than done.

Danny Allan, an IBM security researcher, made the case for advancing security research for software applications at the Software Test & Performance Conference April 16.

Allan argued, citing Gartner research, that while 75% of IT attacks are targeted at applications, 90% of IT security spending goes to securing the network, not the applications.

For instance, 86% of Web application attacks use cross-site scripting, Allan explained, which allows an attacker to inject malicious code through a Web application and potentially subvert access controls.

Heading off cross-site scripting or other vulnerabilities requires testing the security of the application at the same time that developers are testing the functionality of the application, he said. Security should be integrated into the quality assurance phase of development and security defects should be logged along with other defects discovered in the process. Regression testing, used to determine how changes in a program may create bugs, should also be used to reveal security bugs.

“Security issues are nothing more than code quality issues,” Allan emphasized.

Yet at least one conference attendee said some organizations are set on a traditional process of developing the software, then testing it for security, and are hard to change.

“I’m the first one to talk about it,” said David Craft, a security analyst with the California Employment Development Department, which distributes unemployment benefits in the state.

“Security needs to be deeper in the process,” Craft said, but to others in his department, “It’s all brand new.”

Microsoft’s WCF Security Guidance Project is also developing a set of best practices that include security testing of applications using Windows Communication Foundation, a .NET-based programming framework. The project’s home page is hosted by the company’s CodePlex Web site.

The WCF 3.5 Security Guidelines, released this month, offer tips for developing and maintaining the security of .NET applications, according to a blog posting by J.D. Meier, a Microsoft software engineer.

“Customers find the guidelines help them cut through a lot of information and take action,” Meier wrote.

If organizations continue to test security features only after the application has been completed, said IBM’s Allan, “We will always be chasing a train that has long ago left the station.”

The Software Test & Performance Conference, held April 15-17, was hosted by BZ Media Inc., which also publishes SD Times.

Related Search Term(s): IBM, QA testing

Share this link: http://www.sdtimes.com/link/32054

Open-source tools take hold in test/QA market Last year, the testing market saw open-source tools like HtmlTestCase, STAF and Systir emerge, a marked increase over other years. Established companies also updated their testing/QA software.

IBM boosts analysis features in collaborative platform Rational Quality Manager gives real-time data to software development teams, giving both developers and business professionals what they need to make informed testing decisions. The platform uses predictive algorithms to determine which software works best with which browsers.

IBM targets BPM in latest product releases A role-based desktop environment for monitoring business processes is one of the BPM tools offered by IBM in October. Other releases include WebSphere plug-ins, a new BPM diagnostic tool and an update to FileNet Active Content Edition.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST