What does the V-Model map?
Each dev phase maps to testing phase.
Requirement gathering - Acceptance testing
System Analysis - System training
Software Design - Integration testing
Module design - Unit testing
Coding at base of V
What method is most suitable for V-model?
Waterfall
Why do modern (Agile/DevOps) teams test more often than the V-model suggests?
They test continuously and iteratively, not only at the end
What is an AppSec Program?
A set of ongoing related activities with a long-term security goal
Name 4 typical activities in a mature AppSec program
Threat modelling on every design
Security review of pull requests
Security checks in the pipeline
AppSec team verifies Secure SDLC practices
What does SCA stand for and what risks does it manage?
Software Composition Analysis – manages security, license compliance and quality risks from third-party/open-source components
Static program analysis
Performed without executing programs (white-box)
Static program analysis: Advantages
Knows internals
Scan entire code
Early detection
Allow quick turnaround for fixes in exact locations in the code
Static program analysis: Disadvantages
Misses runtime issues
Language specific
Must know about implementation details and internals
Dynamic program analysis
executes the system (black-box)
Dynamic program analysis: Advantages
No need to know about implementation details or programming
Catches more errors via execution
Monitors data flow, e.g leaks
Dynamic program analysis: Disadvantages
Must understand software requirements and complexity (to derive good scenarios)
Does not cover all cases
Acceptance Testing
Test whether implemented feature match requirements
Integration Testing
Test modules run together
Unit Testing
Test individual pieces of the code for common defects
Fuzzy Testing
Invalid/random inputs to simulate attacks
Static Application Security Testing (SAST)
Analyses source code without running. Looks for flaws compromising security and implements fixes and patches in code.
What does SAST detect?
User data flow
Dead code
Hardcoded passwords
Data leak on exceptions
What is SAST process?
Iterates code statically
Checks for issues with built-in checklist
Syntax/convection checks
Problem and solution to this software development good practice: ‘write code alongside tests’
Problem: Might only test safest path one that will never fail
Solution: Get someone else to write the tests for your code
Structure of unit testing
Done in isolation - separate test folder. One test per method/scenario
What does unit testing require?
Modular code (break problems into units)
Test Driven Development (TDD)
Start with failing tests, code until they pass, which helps improve design
Unit Testing: Advantage
Find bugs
Supports all languages
Professional
Aids refactoring/integration
Documentation
