tag:blogger.com,1999:blog-2278699633637555082.post6373199580672637515..comments2024-03-02T01:32:41.948-07:00Comments on Yet Another Developer's Blog: A new type of security testing...Chris Schmidthttp://www.blogger.com/profile/00176557422611541107noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-2278699633637555082.post-52554447586833666472019-02-20T07:32:06.337-07:002019-02-20T07:32:06.337-07:00This is the wonderful post i saw today. adultwork ...This is the wonderful post i saw today. <a href="https://www.london-escorts-ladies-service.eu/pinner-escorts-area.html" rel="nofollow">adultwork london</a><br />Patt P.https://www.blogger.com/profile/11099344987049036527noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-90014707313399816722019-01-25T02:21:04.512-07:002019-01-25T02:21:04.512-07:00java servlets codes for beginners
Request authoriz...java servlets codes for beginners<br /><a href="https://java.happycodings.com/servlets/code36.html" rel="nofollow">Request authorization headers</a><br />sunsethttps://www.blogger.com/profile/13290811765991812385noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-20383310231119612322019-01-22T08:03:26.985-07:002019-01-22T08:03:26.985-07:00java language swing examples
Simple swing buttonsjava language swing examples<br /><a href="https://java.happycodings.com/swing/code38.html" rel="nofollow">Simple swing buttons</a><br />carbonhttps://www.blogger.com/profile/16182107774672743687noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-18653488541586043942018-11-15T01:56:58.507-07:002018-11-15T01:56:58.507-07:00This post is exciting.
London Escort ServicesThis post is exciting.<br /><a href="https://www.sexyescortservice.com/" rel="nofollow">London Escort Services</a>BB.https://www.blogger.com/profile/11046294621847102058noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-24241063228292342502010-01-27T03:33:55.620-07:002010-01-27T03:33:55.620-07:00A similar approach was suggested by Stephen in OWA...A similar approach was suggested by Stephen in OWASP AppSec EU 2006.<br />http://www.owasp.org/images/6/62/OWASPAppSecEU2006_SecurityTestingthruAutomatedSWTests.ppt<br /><br />I have also included this in my trainings for developers for some time now. But I'm not sure how many of them follow it or even bother to go that extra length. Also the in-house **security experts** in most companies would not be able to help unless they have some kind of understanding for code (which most of them do not !!!).<br /><br />But this is a very good (and yes ... *NECESSARY*) approach and I believe including such tests will help in identifying security bugs early in the Dev lifecycle. <br /><br />I don't want to sound too negative but what is the probability that the devs would do this considering the stringent deadlines under which they are working?<br /><br />Any way ... this is an excellent idea :)Manishhttp://www.andlabs.org/noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-45271707332940167662010-01-16T05:59:12.315-07:002010-01-16T05:59:12.315-07:00I'm a bit late but... I believe this approach ...I'm a bit late but... I believe this approach dramatically outperforms more classic tool-centric DAST approaches over time. the key is over time. I think most people shy away because they're driven only by audit/compliance or because of the perceived cost of the spin-up time required to get good coverage on the canon of, say, OWASP security guidance. This is a shame.<br /><br />I was speaking with someone from my OWASP chapter and a few guys from our quality practice and suggested the following: let's build 'testing legos' for a critical mass of the OWASP Security Testing Guide into a suite of Selenium scripts that people can use 'out of the box'. If we successfully hit, say, 33-50% of the guide, people might view the proper security testing approach as less onerous and might make that initial jump from DAST. They'd also have a clear path to transition test-case maintenance to their QA groups.<br /><br />We've already done an analysis of the testing guide for ability to automate, now we just need to start prototyping the toolkit. Anyone want to help?jOHNhttp://www.cigital.com/justiceleaguenoreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-74448288791956507092010-01-14T15:14:14.976-07:002010-01-14T15:14:14.976-07:00I don't think this idea is good. I think this ...I don't think this idea is good. I think this idea is **NECESSARY** if we want to provide a deeper level of assurance for different ESAPI implementations.<br /><br />Nice work as usually, Beef!Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-13444760483503672112010-01-14T09:43:39.808-07:002010-01-14T09:43:39.808-07:00@Dave
I think it is important that the ESAPI test...@Dave <br />I think it is important that the ESAPI test cases test the interfaces of the API so that they can be used to test "your" ESAPI implementations as well as what we ship with ESAPI. <br /><br />However, I don't think that is enough. This doesn't touch on specific use cases or as you say "abuse cases" (I dig it BTW) Testing only the security controls themselves does not ensure that your codebase is using those security controls and more importantly doesn't test that your business logic is using them correctly. <br /><br />An example is that while ESAPI tests the functionality of the Encoder. canonicalize() method, if you are storing a canonicalized string in your database without validating it, the ESAPI tests will not catch this issue, and storing a canonicalized value is often more dangerous than storing an encoded value.<br /><br />I think your point is valid, and you are right on with what I am describing here, but I think that it needs to go beyond just the ESAPI and into the realm of the application code itself. I am currently working on ways that this could be accomplished without requiring the developer to write a ton of test code every time they create a class, but generifying that process is difficult and subject to the same types of problems as static code analysis and vulnerability scanning.Chris Schmidthttps://www.blogger.com/profile/00176557422611541107noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-27837218371897279752010-01-14T09:28:51.232-07:002010-01-14T09:28:51.232-07:00I couldn't agree more! If you consider that te...I couldn't agree more! If you consider that test cases are based upon use cases, then there is also the latitude to consider test cases written upon 'abuse cases'. This is, I think, what you are describing here.<br /><br />I've long been a proponent of not just testing what is *supposed* to happen, but explicitly testing for things that are supposed *not* to happen. Your suggestion here is a concrete example of this philosophy.<br /><br />What would be great is if we could move some of the common test cases into something like ESAPI... so we're providing developers with the tools to mitigate vulnerabilities and provide assurance of that mitigation.Dave Ockwell-Jennerhttp://www.primeinfosec.com/noreply@blogger.com