Testing application security

25 05 2009

The safety of IT is an important topic for all CIO for many years. The tests are part. Therefore a lot of company provides safety testing and intrusion audits or to know the vulnerabilities of an enterprise in order to « correct ».

But in this little world I know nobody really dealing, effectively and operationally tested for safety applications!

That is why I begin the new articles on the topic so you can benefit. If you have comments or suggestions I am listening to you.

My first article deals with one of my visits to HP or to the presentation of major updates to its software designed to help CIOs to reduce the vulnerability of their Web applications. These new offerings are part of HP Application Security Center, a suite of software and services designed to help companies ensure the security of their Web applications by enabling them to discover, correct and prevent vulnerabilities may be exploited by hackers .

What is HP Application Security Center? It helps developers, quality assurance teams and security professionals to detect and correct quickly and efficiently vulnerabilities and defects throughout the lifecycle of the application. These software products test security provide definitions of common security strategy, safety testing automated, centralized control permissions and web access to security information.

Innovations 2009:

HP Assessment Management Platform 8.0 – helps companies reduce costs and risks through application testing platform for distributed and scalable web application security. In addition, HP Assessment Management Platform 8.0 enables companies to:

• Prioritize security concerns based on business goals. New analytical functions help companies identify assets that need to be secure and classify data according to their importance to the business. Incorporating a business allows data to effectively focus the attention of competent security

• Securing more applications with fewer resources specialist with a shared services model. The latter is provided by comprehensive reporting functions and a new display function allowing teams to remotely monitor security scan.

HP WebInspect 8.0 – helps companies analyze the complex web applications. This new version brings more speed and reliability in testing and remediation capabilities (term used by HP meaning « a cure » – is not in the dictionary french) the security of web applications, including those developed with Web 2.0 technologies.

HP Software-as-a-Service (SaaS) for Project Services Application Security Center enables companies to rapidly implement their initiatives to secure applications via a complete solution maintained and managed by HP.

The new HP offerings enable CIOs to prioritize the threats based on their business goals. This approach can often concentrate limited resources on protecting assets and the most important. For example, an organization can identify applications associated with processing credit card transactions and focus its efforts to improve security in order to comply with the recommendations of the payment card industry (PCI DSS for example).

Thus, experts supervise the whole process of securing the enterprise and help to analyze the results of safety tests. This model helps companies to enhance the security of their information systems by making the test even within existing process development, quality assurance and operations. Because finding and correcting vulnerabilities early in the design process can reduce costs, this model helps companies to enhance the security of their information systems at lower cost, industrialising safety tests through the entire life cycle of applications.

HP WebInspect software 8.0 and HP Assessment Management Platform 8.0 is based on the same infrastructure scanning and reporting. Both help companies:

• Find and fix vulnerabilities in Web 2.0 applications with the functions of static analysis of applications built on the platform Adobe Flash ® platform and dynamic monitoring for applications JavaScript / Ajax.

• Implement automatic scans that could not hitherto be performed manually. This concerns in particular, in-depth monitoring for Java ™ Model View Control • Save time with many automation functions, allowing a more rapid tests, and functions ready to use reporting

• The new HP offers SaaS for Project Services Application Security Center helps companies to quickly start the operation of HP Application Security Center, on demand.

Publicités




Tests de sécurité applicatifs

25 05 2009

La sécurité des SI est un sujet important pour toutes les DSI depuis de nombreuses années déjà. Les tests en font partis. Par conséquent une très grande quantité de société propose des tests de sécurité et d’intrusion ou bien des audits permettant de connaitre les vulnérabilités d’une entreprise afin de les « corriger ».

Mais dans ce petit monde je ne connais personne ne traitant réellement, concrètement et opérationnellement des tests de sécurité applicatifs !

C’est pourquoi j’entame des nouveaux articles sur le sujet afin de vous en faire profiter. Si vous avez de remarques ou des suggestions je suis à votre écoute.

Mon premier article traite d’une de mes visites chez HP où assisté à la présentation des mises à jour majeures de ses logiciels conçus pour aider les DSI à réduire la vulnérabilité de leurs applications Web. Ces nouvelles offres font partis de HP Application Security Center, une suite de logiciels et de services conçue pour aider les entreprises à assurer la sécurité de leurs applications Web en leur permettant de découvrir, corriger et prévenir des vulnérabilités susceptibles d’être exploitées par des pirates.

Qu’est-ce que HP Application Security Center ?

Il aide les développeurs, les équipes d’assurance qualité et professionnels de la sécurité à détecter et corriger rapidement et de façon rentable les vulnérabilités et anomalies tout au long du cycle de vie de l’application. Ces produits logiciels de test de la sécurité fournissent des définitions de stratégie sécuritaire communes, des tests de sécurité automatisée, un contrôle centralisé des autorisations et un accès Web aux informations de sécurité.

Les nouveautés 2009 :

HP Assessment Management Platform 8.0 – aide les entreprises à réduire les coûts et les risques applicatifs via une plateforme de test distribuée et évolutive de sécurisation des applications web.

De plus, HP Assessment Management Platform 8.0 permet aux entreprises de :

  • Prioriser les problèmes de sécurité en fonction des objectifs métiers. De nouvelles fonctions analytiques aident les entreprises à identifier les actifs qui ont besoin d’être sécurisés et à classifier les données suivant leur importance pour l’activité de l’entreprise. L’intégration d’un contexte métier aux données permet de concentrer efficacement l’attention des ressources compétentes en sécurité
  • Sécuriser plus d’applications avec moins de ressources spécialisées à l’aide d’un modèle des services partagés. Ce dernier est apporté par des fonctions de reporting globales ainsi que par une nouvelle fonction de visualisation permettant à des équipes de superviser à distance un scan de sécurité

HP WebInspect 8.0 – aide les entreprises à analyser en profondeur les applications web complexes. Cette nouvelle version apporte plus de rapidité et de fiabilité dans les tests et les capacités de remédiation (terme employé par HP signifiant « trouver un remède » – n’existe pas dans le dictionnaire français) de la sécurité des applications web, y compris celles développées avec des technologies Web 2.0.

HP Software-as-a-Service (SaaS) Project Services for Application Security Center permet aux entreprises de mettre rapidement en œuvre leurs initiatives de sécurisation des applications via une solution complète, maintenue et administrée par HP.

Les nouvelles offres de HP permettent aux DSI de prioriser les menaces en fonction de leurs objectifs métiers. Cette approche permet de concentrer des ressources souvent limitées sur la protection des actifs et des données les plus importants. Par exemple, une organisation peut identifier les applications associées au traitement de transactions par carte bancaire et y concentrer ses efforts de sécurisation afin de se conformer aux recommandations de l’industrie des cartes de paiement (PCI DSS par exemple).

Ainsi, les experts supervisent l’ensemble des processus de sécurisation de l’entreprise et aident à analyser les résultats de tests de sécurité. Ce modèle aide les entreprises à renforcer la sécurité de leurs systèmes d’information en les mettant à l’épreuve au sein même des processus existant de développement, d’assurance qualité et d’exploitation.

Puisque trouver et corriger les vulnérabilités très tôt dans le processus de conception permet de réduire les coûts, ce modèle aide les entreprises à renforcer la sécurité de leurs systèmes d’information à moindre coût, en industrialisant les tests de sécurité au travers de l’intégralité du cycle de vie des applications.

Les logiciels HP WebInspect 8.0 et HP Assessment Management Platform 8.0 sont basés sur la même infrastructure de scanning et de reporting. Tous deux aident les entreprises à :

  • Trouver et corriger les vulnérabilités dans les applications Web 2.0 avec les fonctions d’analyse statique des applications conçues pour la plateforme Adobe® Flash platform et de suivi dynamique pour les applications JavaScript/Ajax.
  • Mettre en œuvre des scans automatiques qui ne pouvaient, jusqu’ici, être réalisés que manuellement. Ceci concerne notamment, le suivi en profondeur pour les applications Java™ Model View Control
  • Gagner du temps grâce à de nombreuses fonctions d’automatisation, permettant une configuration plus rapide des tests, et à des fonctions prêtes à l’emploi de reporting
  • La nouvelle offre HP SaaS Project Services for Application Security Center aide les entreprises à commencer rapidement l’exploitation de HP Application Security Center, à la demande.




Preview: new versions of Quality Center and QuickTest Pro V 10.00!

5 02 2009

I attended the presentations of new versions of Quality Center (QC) and QuickTest Pro (QTP) in the version 10.00. This HP in Issy les Moulineaux (Near to Paris – France) a rainy morning. And so, in the TGV (a very fast railway for the English) brings me back, I type this article to share with you the information provided by HP in their basement …
The celebration program was:

  • New QC 10.00
  • New BPT 10.00
  • New QTP 10.00
  • Method of pricing (on the licensing policy – a subject not treated here)
  • Demos

(Does the use of figures 10.00 warns that there will be many patch and it is expected to version 10.94 Only time will tell).
HP has reported that all the information and risk are subject to because not included in versions 10.00 in February. Yet I take the bet that if. This warning of HP is probably the only legal title.
I need not address in this article from Business Process T. (BPT) for the moment because it’s uncommon among French customers and above all a desire / wishes for HP to sell full containers (first desire of any software publisher after all).

Quality Center (QC) 10.00:
Regarding what Quality Center is, I refer you to my articles on tools for testing repositories / management as well as those on QC. The release date is scheduled for 31 January 09 and three packs will be distributed:

  • QC Starter Edition: Designed for a team of 5 single-project
  • Enterprise Edition QC: QC 9.2 equivalent current (TD for Quality Center)
  • First Edition: Designed for a team with needs such as advanced multi-project, high availability platform supporting QC, etc.

I will detail here only the Enterprise Edition / First of QC because it is where the real changes / new features.
QC Enterprise Edition / First, the modules present:

  • Requirements management
  • Test plan
  • Lab Tests
  • Risk based testing
  • Release management
  • Defect management
  • QA Lab Manager

The sentence shock input presentation by HP was « Mastering the chaos version requirements, tests and components”! Rather ambitious and shock, but see news (grouped by topic below).

Reporting:
Centralizing these unlike the current dashboard (9.2)

  • New module replacing the dashboard
  • Centralized reporting
  • All panels are centralized in the module
  • Creation of public view and private
  • Report possible multi-project
  • Take this version of reporting as the V1 from the old … Finalized dashboard module so.

Possibility to define a more complete test:

  • Risks and technical occupations ==> assigned to a functional complex – calculation of risk

Versioning: this module is not useful for a small project
Version Management requirements, tests (test sheets for example) and components:

  • Check-in and check-out
  • Comparison between the
  • Ability to return to a previous version
  • Can be activated at a project through the hotel (the new business administrator, therefore)
  • The versioning is of course to be taken into account before the project starts (part of best practices dear to CMMi and other ITIL)
  • Establishment of baselines (creating a picture of a set of project components), to mark / identify the milestones of the project. Example: requirements validated V1: establishing a baseline. It also allows you to freeze a configuration of testing association with a test campaign.
  • Guarantees to run the correct version vis-à-vis a test campaign
  • Comparison of baseline possible ==> identifying the elements that have changed

QC Requirements Management:

  • It would be a direct competitor tools like Doors, Req Pro and other Caliber
  • HP cites a 2008 report issued by Forrester and noting that the new management module requirements of HP is the first before all others. Hmm … I just think this kind of premature conclusion since the version that comes out in February and that results can be obtained after a few months of intense use in the real customers. A monitor then.

Other: template:

  • It is now (finally?) possible to define a project template and especially to use it and share it between many projects. The major fact is the possibility to update the template and distribute the update on the entire project implementing it. You should know that the current version 9.2 is only possible through internal development of each client.
  • Ability to setup and maintenance of centralized template
  • Broadcast « automatic » updates
  • Maintenance of template by administrators
  • Please note that this feature also joined the concepts of best practices advocated by CMMI and ITIL

Functional testing:

  • Output January 31
  • WinRunner is no longer included in this pack

Contained in the pack Functional testing:

  • Resource Management QTP:
  • Versioning
  • Tools Comparison

QuickTest Pro (QTP) 10.00:
Better reporting

  • Monitoring local system: this module allows RUN when scripts to monitor the implementation and some points. Specifically we can identify at what point and following the action script a problem occurs. For example, a peak CPU load generated by the action of a QTP script. This will help to strengthen links and interactions between the teams test and those in charge of performance tests. It should be noted that this function has been implemented by many customers through internal development. They will appreciate.
  • Improvement of the various GUI:
  • Tools management tasks (TODO)
  • Support for scripting
  • Export to DOC format and PDF reporting
  • Ability to attach screenshots
  • Direct access to the script from QTP reporting
  • Ability to compare two versions of scripts easily

My final impression is that QTP is transformed into CASE (Computer Aided Software Environment or AGL (Atelier de Genie Logiciel for French people)) but oriented tests. What I mean is that HP has incorporated many features to better script and more to help developers fully QTP scripts. I find it beneficial for all writers. Do not draw hasty conclusions and wait till the first returns of experience other than HP. Finally, synergy, linkages between QTP and QC seem also strengthened.

What about migration?
To migrate your versions to 10.00 you must already have version 9.0 (patch 26) and QC 9.2 (patch 12). Unable to migrate with older versions as these.
An upgrade tool is available on the HP site to help you with migration. But be careful if this works as the previous times you need to go through testing experts to help you because the migration tool from HP does not expect miracles and calls for the intervention of humans.
One last thing about the migration, if you go to QC 10.00 you should necessarily go to the 10.00 version of QTP.

WinRunner:
Do we collect on the body of this bloodless automation testing tool that was a forerunner in our industry. He well-deserved retirement. Rest In Peace WinRunner and thank you for everything.

  • It is no longer distributed with the pack functional testing
  • End 2009: End of the developments and patch
  • End 2011: The end

Goodies and “petits fours” (little cakes for corporate party in France):
And the goodies offered by HP for us to reward our time and attention? Well we had a pink plastic pen, a few blank sheets to the header of HP … and a book in English on the tests!
His name is « Optimize Quality for Business Outcomes – a practical approach to software testing » and this in its third edition. This is the first time I have heard of this book dealing with the tests. Below I list the main chapters:
1. What is the big deal about testing?
2. Testing the business requirements: start at the root of the problem
3. Test rules: build the backbone for effective testing
4. Test cases: let’s get down to the real stuff
5. Test optimization: balancing risk and effort
6. Why bother with non-functional testing?
7. Application security testing: the next frontier
8. Test sourcing: how outsourcing improves cost effective testing
9. Successful goal-driven approach KPI
10. Getting started: putting it all together
11. Appendix A – Common test techniques
12. Appendix B – HP application quality management solutions introduction and overview
13. Appendix C – Verification
14. Appendix D – Naming conventions

I try to read this book quickly and I will make my opinion, soon.

And then?
Ultimately, HP’s strategy is to play together in the editing software to expand its functional and its turnover. What is a healthy and able to provide end users with better service and services companies expanding their services (with a contribution of value added greater than today).
However, HP blithely tramples the toes of many competitors / software editor. So publishers with tools for managing requirements and configuration management / version will inevitably their market shares reduced inexorably by HP. As inexorable as desertification in Africa? Not so on this because, take for example publishers management software requirements, their products will not be dedicated more complete than that of HP. It remains to be seen more fully the choice of HP doing in this area and the effort to test them in real life!





Formation et cursus sur les tests

27 09 2008

Dans cet article vous trouverez la liste des cursus et formation disponible en France et à l’étranger. Bien entendu je n’y indique pas les formations délivrées par les SSII :

France :
Bretagne – CNAM
Paris – CNAM – 1
Paris – CNAM – 2
Paris – Learning Tree
France – Formation à distance de l’état

FITEC : Organisme de formation professionnel qui propose une formation de 25 à 40 jours sur la qualification / test (processus, projet, méthodes, outils HP Mercury : QC / QTP / DASHBOARD (formateurs de HP Mercury pour cette partie). c’est une formation reconnue dans le test, et soutenue par de nombreuses SSII (Criteres Testing, All4test, Steria, Alten, Dalysis, Systest, etc.) en DIF ou même via les ASSEDIC.

Mon avis : j’ai intégré de nombreux collaborateurs sortant de cette formation et elle est effectivement complète et la plupart des aspects des activités de test sont étudiés.