Agile Security Threat Modeling

Agile Security Threat Modeling

In Agile/ XP / DevOps development environment many of organizations just ignore or give less priority for the security testing until the security bugs are identified by the hacker or professional security expert. My aim is to bring a light on the “Agile Security Threat Model” that help to move fast on security testing in early stage of development which help to save money spent on security testing and help to build the safe application for the end users.


Step 1: Identify the known threads in the system (Infrastructures/Entry points/ Endpoints).
Investigate about your – DFD, UML, Entry Points, API, A privilege boundary separates processes, entities, nodes and other elements that have different trust levels.

Step2:  Rank / categorize the threads in order to decreasing risk.
Rank / categorize your security bugs – Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of privilege.

Step3:  Understand and develop Responding strategy.
Build your responding strategy – Improve in the code / programming, Improve the Infrastructures/Entry points/ Endpoints security.

Step4: Identifying & implementing the techniques to mitigate threads.
implement solutions – coding / programming standards with security & Implement Infrastructures/Entry points/ Endpoints security standards.

Step5: Test
Test you application – Try to hack your application like a “Bad Boy”.

Different types of software testing

Different types of software testing – “Go back to the school “

Functional testing
Functional testing – one of the main types of program verification. The purpose of functional testing – verification of the application. Usually functions of the system are described in the technical specifications in the form of requirements or user scenarios (use case). Based on the specifications developed test scenarios (test cases) and checklists. Then you define priorities, according to the test strategy. Test stsenrii sorted by priority and execution time, and combined into a test plan.

Exploratory testing
Exploratory testing (ad hoc testing – functional testing subspecies. It is used in growing projects with agile development, where there is no clear documentation and requirements. Exploratory testing – aerobatics in software testing. Qualitative testing is available with highly qualified professionals and almost entirely dependent on artist, his experience, knowledge (as in the subject area and in metodoikah testing), the ability to quickly penetrate into the essence.

Load testing
Load testing – the process of analyzing the performance of the system being tested under load. The purpose of stress testing, to determine the ability of applications to external loads. Typically, tests are carried out in several stages.

1. Generate test scenarios

To effectively analyze the scenarios should be closest to the real usage scenarios. It is important to understand that exceptions are always possible, and even the most detailed test plan may not cover individual case.

2. Development testbed

Having test cases, it is important to distribute the load ascending order. For analyzing the evaluation criteria necessary to allocate capacity (speed of response, query time, etc.).

3. Conducting tests

Tests are important to promptly enforce scenarios and response system under test. To simulate high loads requires serious hardware and software infrastructure. In some cases, to reduce the cost of works applied mathematical modeling techniques. Taking as a basis the data obtained at low loads, and approximated. The higher simulated load, the lower estimation accuracy. However, this method significantly reduces costs.

Test Automation
The main feature of automated testing – the ability to rapidly conduct regression tests. The main advantages of automation (according to the report of Worksoft) is to increase the efficiency of the staff, earlier detection of defects and higher quality business processes. These advantages are offset by a significant drawback: the high cost – due to the high price of implementation and support of test automation, about 50% of companies still use mostly manual testing.

Usability Testing
Any application is created in order to use it. Ease of use – an important indicator of the quality of the program. IT industry is littered with examples where projects took off after a successful fix usability. The wider the audience, the more important factor in usability. Usability testing includes a detailed analysis of user behavior. To assess ergonomics is important to have data not only on the speed of business problems, but also about emotions member, facial expression, tone of voice.

Configuration testing
Configuration testing gives confidence that the application will work on different platforms, and it means that the maximum number of users. For Web applications usually choose testing for cross-browser. For Windows applications – testing on different operating systems and bit depth (x86, x64). An important component configuration testing is a test infrastructure: for testing must constantly maintain the park test machines. Their number varies from 5 to several tens.

Integration Testing
If your project has more than one component, it needs integration testing. For complex application architecture necessary to ensure the quality is to check on the interaction of the parts of the program. Testing is achieved by the development and implementation of “through” cases. Integration testing is performed after the component. Therefore it is very important to consider the experience of component testing, while respecting the business orientation of the test cases.

Stress testing
Any system has a limit of normal functioning. When the limit is exceeded the system falls into a state of stress and significantly changes its behavior. Stress testing checks the application in conditions exceeding the proposed normal functioning. This is especially important for the “critical” programs: banking software, programs aviation industry, and medicine. Stress testing is carried out not only at the stage of software development, but also throughout the entire cycle of operation for the purpose of data acquisition and processing system behavior over a long period of time.

Software Security Testing

Software Security Testing

Security testing software – Integrated Assessment of vulnerability to attacks of various kinds. This type of testing is fundamentally different from the functional (load, regression, etc.). Particular attention is given to cases in which the software generates an error, and assess the effects of errors in terms of protecting information from unauthorized access, hacking and other attacks.

Basic parameters for checking software security

The basic set of parameters covered by security testing are:

  • Access control
  • User authentication
  • Validation of input
  • Reliability of information encryption
  • Correct handling errors
  • Buffer overflows
  • Server configuration

Testing access control, developers identify defects that could allow unauthorized access to applications.This may be deliberate introduction of errors used to break into the system during recovery attempts to guess the password by external means, and more.

Security check authorization helps detect defects associated with authentication of individual users and groups.

Testing data validation ensures that the database is stored only The valid information (e-mail addresses of users, etc.).

Reliability data encryption – one of the most important parameters of any software which is used to generate, store and forward confidential information. During testing, you must make sure that the systems encrypt and decrypt data, scanning and recognition of electronic signatures are no errors that can lead to cracking.

Verifying the error-handling code snippets into account the findings as they occur. Also studied the possibility of unnecessary disclosure of information when a malfunction in the system and the effects of errors for all software performance.

Due to buffer overflow information can also get in the open access. In most programming languages ??use the technology stack frames when the program data and control data are mixed in the process stack. Buffer overflow and the program hangs attacker can load machine code on its behalf.

Server configuration is checked for faults in multithreaded environments that can lead to data corruption and incorrect use. This is especially true for programs that run through automation of business processes .

Testing Methodology

In the process of testing the safety test acts as a cracker. Using special software and hardware, it tries to take all measures to ensure that:

  • Learn passwords
  • Attack the system using tools for analyzing security
  • Penetrate the system by entering the wrong data and using it to restore access,
  • Find authorization key using unclassified information. and other ways to crack the software.

Load testing and performance optimization

Load testing and performance optimization

Load testing software – is performance testing, which allows you to determine the speed with which the program is running under a certain load. As a result of product performance is evaluated compliance with the requirements laid down in the TOR.

Application testing and its specificity

Most often, stress tests are used for multi-user software products supporting architecture “client-server”, but can also be used for other types of software. Such testing may be subject to CRM-system is performing automation of business processes or accounting software, which generates report documentation database for several years, or text editor to handle a large volume of documents.

During testing, software withstand various loads, including prolonged and the peak. Through a series of tests, developers mimic actions of a certain number of users (virtual) in the program and its individual sections.

To evaluate the performance of the software may also be carried out so-called stress tests, when the load exceeds the norm. With it is determined during queries on the maximum load. Concept of stress testing is often identified with the load, but they are two different types of work.

As the evaluation criteria used by the performance requirements for software, formulated at the stage of its development. If these requirements were not included in the project documentation, testing will be based on the estimated averages.

Principles of exercise testing

Any load testing involves consideration of a number of the principles set out below:

  • Unique queries
  • Response time
  • Dependence of response time on the degree of distributed systems,
  • Response time spread,
  • Fidelity load profiles.

The uniqueness of requests. When formulating scenarios system developers need to take into account that there are exceptions to any scenario. The principle of using the program are generally determined by the statistics. But if the majority of users use a similar algorithm, there will always be people who do otherwise, and their likely questions should also be considered in the testing.

System response time is calculated by statistical, using the normal distribution function. Terms obtained data, developers determine the approximate time interval.

Dependence of response time on the degree of distributed systems. number of user queries relating to each node, as well as the number of nodes affect the range of processing time. Each node adds a certain proportion of the delay in time for processing.

Scatter response time. With a large number of measurements of time, there are always questions that require maximum processing time. This principle is taken into account in the performance requirements and regular performance tests.

Fidelity load profiles - parameter estimation in which testing can be very expensive if the product includes a number of components. The more complex the device software, the more aspects must be considered when developing and testing.

As with other tests, load carried by specially designed cases and scripts. The possibility of testing centers “Aplana” allow you to pick an effective solution for problems of any complexity.