In this class, we’ll explore two flexible and powerful tools useful in automated Web security tests: cUrl and Perl. CUrl is a free program that helps us automate basic requests. Perl is a well-known programming language ideally suited for writing scripts that test Web applications. We’ll look at the basics of automating tests in both ways, and also explore some of the more complicated concerns that arise during automation: authentication, session state and parsing responses.

The techniques in this class apply regardless of whether your Web platform is Java EE, .NET or something custom. The techniques are also independent of whether your test platform is Windows, Mac OS X, Linux or Unix. You’ll leave with an understanding of the basics and a long list of resources you can turn to for learning more about Web security test automation.

Software security testing is a key element in your quality assurance strategy for protecting your applications and critical data. Organizations need applications that not only work correctly under normal use but also continue to work acceptably in the face of a malicious attack. Software security testing, which extends beyond basic functional requirements, is a critical part of a secure software development lifecycle. By teaching you how to use security risk information to improve your test strategy and planning, Paco Hope helps you build confidence that attackers cannot turn security risks into security failures. The goal is to teach you to think like an attacker and add test cases for non-functional—and sometimes implied—security requirements. Explore a white-box approach that looks inside your code to help you design your tests. By employing risk-based security testing, you can achieve the most benefits with less effort and avoid downstream security problems and mitigation costs. Paco offers an eye-opening experience for all QA professionals responsible for test strategies, plans, and designs. It will change the way you think about test development.

My all day tutorial is:

Software Security Fundamentals

The key to proactive, effective computer system security is getting a risk management handle on the problem of security inside the software. Created by the experts who literally wrote the book on software security, this interactive session encompasses the software security awareness and best practices you need to achieve a secure and trustworthy environment. Everyone involved in software development requires baseline knowledge of software security problems and risks, along with an overall understanding of approaches for producing secure software. Join me as I define the software security problem and then describe a set of software security principles, touch points, and key concepts that can be integrated into any software development lifecycle. I describe how and why software is exploited and present an overview of architectural risk analysis, security testing, and advanced tools for code review. Learn why software security is everyone’s job, and take back an overview of next steps for adopting a comprehensive software security program.

On Wednesday I'm doing a brief talk:

Static Analysis and Secure Code Reviews

Security threats are becoming increasingly more dangerous to consumers and to your organization. I'll provide the latest on static analysis techniques for finding vulnerabilities and the tools you need for performing white-box secure code reviews. I'll provide guidance on selecting and using source code static analysis and navigation tools. You'll learn why secure code reviews are imperative and how to implement a secure code review process in terms of tasks, tools, and artifacts. In addition to describing the steps in the static analysis process, I'll explain methods for examining threat boundaries, error handling, and other “hot spots” in software. You'll find out about the analysis techniques of Attack Resistance Analysis, Ambiguity Analysis, and Underlying Framework Analysis as ways to expose risk and prioritize remediation of insecure code.

• Why secure code reviews are the right approach for finding security defects
• How to prioritize critical software components for a deep security analysis
• Techniques for source code analysis on high-risk components