News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010

2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)

2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo

2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse

2/21/2010 to 2/24/2010
Las Vegas
IBM

HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.

The Agile Heartbeat When an organization goes Agile, who’s the most affected? Programmers? Testers? Stakeholde...

Open Source Community Practices in the Enterprise In the enterprise, open source software is recognized for the cost savings it delivers whe...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Call is out to bring security testing into the QA process

By Robin "Roblimo" Miller

April 18, 2008 —

SAN MATEO, Calif. — Testing the security of software applications should be part of the process of developing the software, not an afterthought. But one security analyst says that’s easier said than done.

Danny Allan, an IBM security researcher, made the case for advancing security research for software applications at the Software Test & Performance Conference April 16.

Allan argued, citing Gartner research, that while 75% of IT attacks are targeted at applications, 90% of IT security spending goes to securing the network, not the applications.

For instance, 86% of Web application attacks use cross-site scripting, Allan explained, which allows an attacker to inject malicious code through a Web application and potentially subvert access controls.

Heading off cross-site scripting or other vulnerabilities requires testing the security of the application at the same time that developers are testing the functionality of the application, he said. Security should be integrated into the quality assurance phase of development and security defects should be logged along with other defects discovered in the process. Regression testing, used to determine how changes in a program may create bugs, should also be used to reveal security bugs.

“Security issues are nothing more than code quality issues,” Allan emphasized.

Yet at least one conference attendee said some organizations are set on a traditional process of developing the software, then testing it for security, and are hard to change.

“I’m the first one to talk about it,” said David Craft, a security analyst with the California Employment Development Department, which distributes unemployment benefits in the state.

“Security needs to be deeper in the process,” Craft said, but to others in his department, “It’s all brand new.”

Microsoft’s WCF Security Guidance Project is also developing a set of best practices that include security testing of applications using Windows Communication Foundation, a .NET-based programming framework. The project’s home page is hosted by the company’s CodePlex Web site.

The WCF 3.5 Security Guidelines, released this month, offer tips for developing and maintaining the security of .NET applications, according to a blog posting by J.D. Meier, a Microsoft software engineer.

“Customers find the guidelines help them cut through a lot of information and take action,” Meier wrote.

If organizations continue to test security features only after the application has been completed, said IBM’s Allan, “We will always be chasing a train that has long ago left the station.”

The Software Test & Performance Conference, held April 15-17, was hosted by BZ Media Inc., which also publishes SD Times.

Related Search Term(s): IBM, QA testing

Share this link: http://www.sdtimes.com/link/32054

Open-source tools take hold in test/QA market Last year, the testing market saw open-source tools like HtmlTestCase, STAF and Systir emerge, a marked increase over other years. Established companies also updated their testing/QA software.

IBM boosts analysis features in collaborative platform Rational Quality Manager gives real-time data to software development teams, giving both developers and business professionals what they need to make informed testing decisions. The platform uses predictive algorithms to determine which software works best with which browsers.

IBM targets BPM in latest product releases A role-based desktop environment for monitoring business processes is one of the BPM tools offered by IBM in October. Other releases include WebSphere plug-ins, a new BPM diagnostic tool and an update to FileNet Active Content Edition.

Add comment

Name*
Email*
Country

Comment
Preview

Call is out to bring security testing into the QA process

By Robin "Roblimo" Miller

Related Articles

Add comment