January 2011 Monthly Meeting Summary
Automated Software Security Testing - Presentation by Frank Hurley & Aravind Venkataraman & Sagar Dongre, Cigital Inc.
This talk introduced an automation framework from a real-world Software Security practice, including automated static & dynamic
analysis to achieve continuous integration of software security, and state-of-the-art in vulnerability scanning tools.
Additionally, the differences and similarities between security testing and traditional testing were outlined.
Frank Hurley is a Technical Manager with Cigital Inc. His areas of expertise include software testing and
development as well as software security.
Aravind Venkataraman is a Security Consultant at Cigital Inc., where he helps financial services build Software
Security programs from scratch.
Cigital, Inc. is a leading software security and quality consulting firm established in 1992, headquartered in Dulles, VA.
Took place on: Wed. January 12 2011 6:30 PM
- The main security automation tools mentioned were AppScan (for automated vulnerability testing) and Fortify (static code analysis);
both being commercial not-inexpensive products.
- There was discussion about Cigital's approach to building security into the SDLC.
- There was a mention of Microsoft Code Analysis Tool .NET (CAT.NET), a binary code analysis tool to help identify common
vulnerabilities (for C#, Visual Basic .NET, J#).
- An issue with security testing is that sometimes management may not react to the results as seriously as might be desired;
this is more of a problem with code analysis tools; with pen testing the impact of flaws is more apparent. Often only the
critical vulnerabilities get attention.
many security testing tools still were not good at handling those types of web apps.
- Security testing tools can take a long time to run - on the order of days rather than hours, depending on the size/complexity
of the application(s).
- A significant issue in dealing with security testing is being effective at dealing with false positives in the test results - requires
expertise and experience to be efficient in dealing with those.
- It was mentioned that often security-related requirements are unclear and not documented.
- Meeting powerpoint presentation (800 KB).
NoVaTAIG Home Page