EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Similar documents
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Your Turn to Hack the OWASP Top 10!

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Web Application Security. Philippe Bogaerts

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Application Security Approach

6-Points Strategy to Get Your Application in Security Shape

Web Application Threats and Remediation. Terry Labach, IST Security Team

OWASP TOP 10. By: Ilia

Applications Security

Solutions Business Manager Web Application Security Assessment

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Development*Process*for*Secure* So2ware

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Sichere Software vom Java-Entwickler

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

EasyCrypt passes an independent security audit

Web Application Penetration Testing

Aguascalientes Local Chapter. Kickoff

Checklist for Testing of Web Application

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

SECURITY TESTING. Towards a safer web world

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Secure Programming Techniques

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Application Layer Security

Web Applications Penetration Testing

Large Scale Generation of Complex and Faulty PHP Test Cases

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Certified Secure Web Application Engineer

C1: Define Security Requirements

1 About Web Security. What is application security? So what can happen? see [?]

TR/RADCON/2007.7/Omran.3

Introductions. Jack Katie

eb Security Software Studio

Copyright

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

release notes effective version 10.3 ( )

PRESENTED BY:

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

GOING WHERE NO WAFS HAVE GONE BEFORE

Welcome to the OWASP TOP 10

Using and Customizing Microsoft Threat Modeling Tool 2016

Web Application Vulnerabilities: OWASP Top 10 Revisited

Application. Security. on line training. Academy. by Appsec Labs

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Copyright

Tabular Presentation of the Application Software Extended Package for Web Browsers

Web Security. Web Programming.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Exploiting and Defending: Common Web Application Vulnerabilities


CSWAE Certified Secure Web Application Engineer

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Test Harness for Web Application Attacks

TIBCO Cloud Integration Security Overview

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

How to read security test report?

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Secure Coding, some simple steps help. OWASP EU Tour 2013

David Rook. Agnitio Security code review swiss army knife. Hack in Paris, Paris

Presentation Overview

Curso: Ethical Hacking and Countermeasures

16th Annual Karnataka Conference

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Q Web Attack Analysis Report

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

CONTENTS. Recommendations. Prize Q & A

October, 2012 Vol 1 Issue 8 ISSN: (Online) Web Security

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

COMP9321 Web Application Engineering

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Developing Secure Systems. Associate Professor

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

COMP9321 Web Application Engineering

Certified Secure Web Application Security Test Checklist

BIG-IP Application Security Manager : Getting Started. Version 12.1

Ruby on Rails Secure Coding Recommendations

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Perceptive Nolij Web. Release Notes. Version: 6.8.x

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Penetration Testing. James Walden Northern Kentucky University

MOTOR Data Management System Users Guide

Transcription:

EPRI Software Development 2016 Guide for Testing Your Software Software Quality Assurance (SQA)

Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial Graphical User Interface Stress Testing Security Vulnerability Testing 2

Installation EPRI Requirements: http://swdev.epri.com/req-install.asp Run a Virus Scan Verify Documentation Network installation instructions if necessary. Documentation required for Application like Web Applications & Spreadsheets. 3

Installation Installation Settings Typical v. Custom Install Directories Shortcuts Confirm successful installation & un-installation of Applications. Software Encryption Input serial numbers or security keys if necessary Test invalid inputs for validation 4

Software Documentation EPRI Requirements: http://swdev.epri.com/req-doc.asp Check if the EPRI Software Manual Template was used. Check headers and footer Check for system requirements: Hardware and Software specifications Permissions such as Administrator rights Check application feature descriptions Check spelling and grammar 5

Test Cases EPRI Requirements: http://swdev.epri.com/req-testcase.asp Reminder: One tutorial is required or at least three solved example problems. Execute & confirm all tutorials for correct inputs and outputs. Verify that the calculations, graphs, and screenshots match the documentation. Note: If any inputs or results do not match, the software can not be approved to send to customers. 6

Graphical User Interface EPRI Requirements: http://swdev.epri.com/req-gui.asp Check for the Preproduction Splash Screen (if preproduction stage) Windows fit in the main application screen and nothing is cut-off if windows are resized Make sure all information is accessible Internationalization Check compatibility SI Units Change appearance settings Tab order and hot-keys (alt-keys) Check embedded Help feature, including buttons to open the Help feature 7

Stress Testing Range checking Boundaries of numeric inputs Input type Numerical Alphabetical Special Characters Follow the solved example problems, but then skip a step or do them in a different sequence 8

Stress Testing Check print feature Try different login combinations Check error messages for clarity. Error messages should appear when the error occurs. Check for spelling within the application 9

Stress Testing For databases: Ensure all connections through the application are valid when accessing data Ensure single quotes and double quotes are tested to verify they do not corrupt the database Add duplicate records Delete all records to make sure it does not crash the application Modify data files to make sure the application gives a correct error message 10

Stress Testing With administrative feature Verify Admin privilege and how it differs from a regular user Check for compatibility with Microsoft Office applications if applicable (such as copy and paste features) Test functionalities of buttons Check save feature Without administrative feature 11

Stress Testing Check open file feature correct file extensions, choosing incorrect file type brings up error message, etc.) The International Standard date notation DD-MM-YYYY United States Standard If there are graphs, check graph features and settings Check options/settings not covered in the sample problems. Check to make sure international units are converted correctly date notation MM-DD-YYYY 12

Stress Testing Maximize, minimize, and resize windows to make sure the application responds correctly. Check keyboard shortcuts Check all menu items, including the pop-up menus that come up when the user right-mouse clicks an item If there are hardware/software keys, check to see if the application responds when executed with the key(s), then without the key(s) X C V 13

Security Vulnerability Testing OWASP Top Ten Web Application Vulnerabilities http://www.owasp.org/index.php/owasp_top_ten_project 1: Injection 2: Cross-Site Scripting (XSS) 3: Broken Authentication and Session Management 4: Insecure Direct Object References 5: Cross-Site Request Forgery (CSRF) 6: Security Misconfiguration 7: Insecure Cryptographic Storage 8: Failure to Restrict URL Access 9: Insufficient Transport Layer Protection 10: Unvalidated Redirects and Forwards 14

Security Vulnerability Testing Two vulnerabilities SQA will test for: Structured Query Language (SQL) Injection Cross-Site Scripting The developer is expected to address security vulnerabilities when developing an application 15

Security Vulnerability Testing SQL Injection Injection of a SQL Query through input data, such as a querystring or form Examples: In the querystring, enter a SQL Statement, such as " ; Delete from users -- ", into a querystring variable Enter in " ' OR 1=1 " into a form field or querystring variable See the following for more information and testing examples: http://www.owasp.org/index.php/sql_injection 16

Security Vulnerability Testing Cross-Site Scripting - Harmful scripts are entered into web sites via querystring or form field Example: Enter in "<script type="text/javascript"> alert( hello ); </script>" into a form field to check whether the form field is validated Allows the user to execute scripts that are harmful See the following for more information: http://www.owasp.org/index.php/cross-site-scripting 17

Security Vulnerability Testing Testing tools: OWASP s Web Scarab (Manual) OWASP s Zed Attack Proxy (Automated) Nexpose (Automated) Rapid 7 (Automated) Reference: Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/main_page 18

What SQA Does Not Do SQA software usability testing does not do: V&V (Verification and Validation) testing Test or validate real world data (this should be done by beta testers) Exhaustive testing or white box (source code) testing SQA usability testing will not find all errors and is not intended to All errors are expected to be found by developers 19

Together Shaping the Future of Electricity

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback