Software Security Test Best Practices
Top Stories
-
Tip
29 Oct 2021
Follow these database testing basics for better data
Data is typically a company's most valuable asset. The data should be treated as such, with vigorous, almost constant testing, regardless of its location. Continue Reading
-
Answer
02 Jul 2020
Software performance testing requirements and prerequisites
Just because software passes functional tests doesn't mean it works. Dig into stress, load, endurance and other performance tests, and their prerequisites and requirements. Continue Reading
-
News
01 Nov 2019
Atlassian CISO Adrian Ludwig shares DevOps security outlook
Atlassian's CISO believes that eventually, application security mechanisms will be absorbed completely into Agile and DevOps tools -- including his own company's products. Continue Reading
-
Tip
30 Sep 2019
Implement a DevSecOps pipeline to boost releases' security posture
Break security out of its silo, and get the whole team on board to create a culture of quality with the right tools at the right time -- and stop blindly rushing to release. Continue Reading
-
Podcast
26 Sep 2019
Why DevOps underscores the importance of software testing
There's no debating the importance of software testing. But QA should be everyone's responsibility. In this podcast, learn how to follow a team-wide approach to quality. Continue Reading
-
Tip
26 Mar 2019
Secure open source components to bypass breaches
As enterprises increasingly turn to open source code to cut dev efforts and costs, IT industry vendors recommend that they secure dependencies and deploy patches to safeguard apps. Continue Reading
-
Tip
13 Mar 2019
How to implement a winning interoperability testing strategy
From security to data transfers, network complexity and testing environments, development teams have a lot to address to perform effective interoperability tests. Continue Reading
-
Photo Story
12 Dec 2018
5 software development trends propel innovation in 2019
Get ready to jettison your comfort zone and dive into shift-right testing, IoT development and other emerging skill and coverage areas for software developers and testers. Continue Reading
-
Feature
12 Oct 2018
Make your pitch for chaos engineering practices
Is your QA team ready for chaos engineering? Find out how to prep staff for resilience engineering and why you should avoid that 'chaotic' name altogether. Continue Reading
-
News
14 Sep 2018
Mature DevSecOps orgs refine developer security skills training
Some advanced organizations tackle DevSecOps with automated security for CI/CD pipelines and infrastructure, and will complete the picture with developer security skills training. Continue Reading
-
Answer
30 Aug 2018
What are the top software testing methodologies?
Whether you want to discover new software testing methodologies or rejuvenate test cases, QA is all about efficiency. Evaluate these testing techniques and strategies to meet QA goals. Continue Reading
-
Feature
04 Jun 2018
OSS security requires DIY scrutiny, not trusting 'many eyes'
How many ways can hackers exploit the security flaws in open source? Cybersecurity experts count the ways and the approaches that can prevent costly security breaches. Continue Reading
-
Feature
21 May 2018
Amp up OSS security with these steps
A test vendor's CTO describes the OSS security mistakes that enterprises make, such as not patching vulnerabilities or inaccurate inventory dependencies. Continue Reading
-
Feature
15 May 2018
10 important automated testing best practices to implement
QA and test pros give advice on how to craft software test automation strategies that can speed app deployment. They also share their criteria for choosing automated test tools. Continue Reading
-
Answer
26 Apr 2018
Automated security testing frees devs to prevent breaches
Common software security mistakes include testing at the last minute and not testing open source code and VMs. Expert Matt Heusser suggests ways to avoid these and other missteps. Continue Reading
-
News
18 Apr 2018
Failure to secure open source code spurs DevSecOps boom
A survey of over 2,000 IT pros shows that fear of data breaches is increasing investments in DevSecOps tools, particularly automated security tools and oversight of open source software. Continue Reading
-
Feature
15 Mar 2016
Microsoft TFS is here for your QA and test management needs
Microsoft TFS offers organizations test management software, which integrates with Visual Studio to help improve communication when putting together software. Continue Reading
-
Feature
15 Mar 2016
Clover: A code coverage tool that provides meaningful metrics
For organizations looking to augment their software quality assurance testing process, look no further than Atlassian's code coverage tool, Clover. Continue Reading
-
Answer
05 Feb 2015
Does a tester actually need test cases?
Discover whether or not test cases are necessary in this expert answer by consultant Robin Goldsmith. Continue Reading
-
Tip
19 Nov 2014
Five tools to improve embedded software testing efforts
Embedded software testing tools are useful for catching defects during unit, integration and system testing. Here are five such tools that can make testing easier. Continue Reading
-
Video
08 Mar 2013
What's ailing enterprise software security management?
Enterprise application security testing means not only finding security vulnerabilities, but tracking them down and putting an end to them. Continue Reading
-
News
19 Feb 2013
Top ten mobile application threats to enterprise security
Check out the top ten threats presented by enterprise mobile applications, according to the OWASP Mobile Security Project. Continue Reading
-
Tip
30 Mar 2012
Security testing for unvalidated redirects and forwards
Security expert John Overbaugh gives security testers the information they need in order to ensure the Web application code that they’re responsible for is protected. Continue Reading
-
Tip
31 Mar 2011
Application security: Protecting application availability, data confidentiality and integrity
Network security and application security are both important in keeping your applications safe from hackers. In this tip, security engineer John Overbaugh focuses on application security, which is needed to protect the confidentiality, availability and integrity of your application and its data. Learn more about various areas of security that need to be considered when designing secure applications. Continue Reading
-
Tip
09 Feb 2010
Why use POST vs. GET to keep applications secure
Although POST and GET HTTP requests essentially perform the same command on a Web server, a security expert says there are inherent dangers in using one over the other. Learn why one type of processing request provides more security for your Web application in this expert tip. Continue Reading
-
News
02 Dec 2009
Using firewalls for software testing: Pros and cons
Network firewalls, what are the pros and cons? Software expert chimes in on how firewalls protect valued data and deter unwwanted people from gaining access to applications. Continue Reading
-
News
03 Nov 2009
Web application security best practices: Tips on implementation
In this video, Hugh Thompson, founder of People Security, discusses Web application security best practices and strategies. Continue Reading
-
News
30 Sep 2009
SMS attacks against BlackBerry certificate-handling flaw possible
Research In Motion (RIM) warns that SMS attacks targeting BlackBerry users could take advantage of a certificate-handling flaw, tricking users into visiting an attack website. Continue Reading
-
News
18 Aug 2009
Hackers caught in Hannaford, Heartland data breaches
A federal grand jury has indicted a Miami man and two Russian hackers for their involvement in an international scheme to steal more than 130 million credit and debit card numbers from five companies. The indictment alleges the men conspired to conduct the largest credit and debit card data breach ever charged in the United States. Continue Reading
-
News
18 Aug 2009
Twitter ban on Marines adds to panic
In a surprisingly draconian move, the United States Marine Corps has decided to ban the use of social networking sites Facebook, Myspace and Twitter from all USMC-owned computers due to fears of malware and loss of secret data. This is a setback for this generation of citizen soldiers who were raised on this technology to communicate with friends and family back home. The action is an example of paranoia overtaking security decisions when there are other preventive steps that could be taken. Continue Reading
-
News
07 Jul 2009
Adobe ColdFusion websites being compromised
Adobe Systems Inc. is warning users of its ColdFusion application development platform of a vulnerability being actively targeted by attackers to compromise websites. A zero-day vulnerability in theColdFusion FCKeditor rich text editor enables users to compromise websites and view and edit files, Adobe said in its Adobe Product Security Incident Response Team (PSIRT) blog. The rich text editor is installed with ColdFusion 8. It is also used in earlier versions. A patch is expected to be released next week, Adobe said. Continue Reading
-
News
07 Jul 2009
Attack code targets Microsoft ActiveX zero-day flaw
Security researchers have detected a new drive-by exploit in the wild actively targeting a zero-day vulnerability in an ActiveX component that connects to the Microsoft DirectShow video streaming software. Microsoft issued a security advisory Monday calling the vulnerability in its Video ActiveX Control remotely exploitable with little user interaction when browsing with Internet Explorer. The ActiveX control msvidctl.dll connects to Microsoft DirectShow filters for use in capturing, recording, and playing video. The specific control is used by Windows Media Center to build filter graphs for recording and playing television video. Continue Reading
-
Tip
03 Feb 2009
Web application security testing checklist
Testing your Web application security is something that needs be taken seriously. The best way to be successful is to prepare in advance and know what to look for. Here's an essential elements checklist to help you get the most out of your Web application security testing. Continue Reading
-
Tip
18 Dec 2007
How to define the scope of functional security testing
With a many internal threats originating from applications, functional security testing is one of the most reliable ways to identify internal security vulnerabilities. Continue Reading
-
Tip
17 Dec 2007
Cracking passwords the Web application way
Don't make the mistake of thinking your Web site is secure just because it uses SSL. If you don't have proper login controls in place, attackers can crack passwords and get into the application. Continue Reading
-
Tip
20 Jun 2007
How to test Web site login security
Input validation is critical for the security of Web sites. Here's a techniques you can use to make sure your site isn't vulnerable to SQL injection. Continue Reading
-
Tip
13 Feb 2007
I don't want a Web application security product; I want a solution
The number of Web application security products available is enough to make your head spin. A better option is a total solution that handles all of your Web application security needs, says application security expert Anurag Agarwal. Continue Reading
-
News
02 Mar 2006
Watchfire reports big picture on potential Web flaws
Watchfire has readied a new edition of its security offering, aimed at teams that need to test many Web applications simultaneously. Continue Reading
-
News
13 Feb 2006
Effects of domain hijacking can linger
Malicious hackers who are able to hijack an organization's Web domain may be able to steal traffic from the legitimate Web site long after the domain has been restored to its owner, according to a recent report from the Web Application Security Consortium. Continue Reading
-
News
10 Jan 2006
Digging into the Mercury-Systinet deal
Columnist Phil Wainewright asks "Why did Systinet sell to Mercury?" Continue Reading
-
News
09 Jan 2006
Mercury buys Systinet
Mercury Interactive Corp. has agreed to buy SOA registry vendor Systinet Corp. for $105 million in cash. Continue Reading
-
News
05 Jan 2006
CA gets Wily
Computer Associates today purchased application management vendor Wily Technologies for $375 million in cash. Continue Reading
-
News
10 Oct 2005
Mercury offers change time management
Mercury Interactive will unveil its newest management suite this week, focusing on the change time management that will become a bigger issue as companies create and deploy a greater number of Web services. Continue Reading
-
News
18 Aug 2005
Intel picks up XML networking play
With its acquisition today of Sarvega, chipmaker Intel expands into the realm of XML and Web services performance optimization, adding a portfolio of products designed to accelerate the processing of XML workloads, increase network and XML firewall security, and reduce system management overhead. Continue Reading
-
News
06 Jul 2005
WSDM roadmap laid out in Chicago
At the Global Grid Forum executives from IBM, Hewlett-Packard and Computer Associates laid out their vision for the Web Services Distributed Management specificaiton. They agreed that WSDM would eventually lead to a point where Web services can be used to access and control enterprise IT management tools, bringing business management and operations into alignment. Continue Reading
-
News
07 Jun 2005
ASG unveils starter kit for metadata management
Allen Systems Group this week unveiled a SOA Starter Kit comprised of a metadata repository which recognizes an array of programming, command, middleware and database management systems, in both legacy and distributed environments. Continue Reading
-
News
07 Jun 2005
Governance bridges management, IT gap
Practical experience of service-oriented design and development is driving one critical requirement to the top of the agenda: the need for strong governance over developers. Continue Reading
-
News
06 Jun 2005
Kenai Systems addresses development time testing
eXamineXT, the latest testing tool from Web services security specialist Kenai systems, supports 20 different security vulnerability test cases out of the box. With the XT tool, developers can pick a vulnerability from a menu, import the WSDL and the tests are automatically generated. Continue Reading
-
News
26 May 2005
Smart controls add logical approach to SOA
Logic Library, provider of software development asset tools, this week unveiled Logidex 3.6. The latest release comes with a Smart Controls feature that makes it possible for organizations to govern the production process for reusable components, Web services and other software development assets within an SOA. Continue Reading
-
News
05 May 2005
WSUnit 1.0, Web services testing tool, released
WSUnit 1.0 provides automated and manual testing of Web Service consumers and provides a predictable and repeatable simulation of a Web Service that is ideal for unit and integration testing. Continue Reading
-
News
14 Apr 2005
ESB, the missing link for SOA management
While Web services, XML and a growing list of interoperability standards are providing the groundwork for service-oriented architectures (SOAs), the Enterprise Service Bus is emerging as the management layer needed to tie an SOA together, providing a cohesive, "virtual view" of everything from legacy systems, to Web services. Continue Reading
-
News
13 Apr 2005
WebLayers provides governance for DoD
A Department of Defense (DoD) agency has chosen the WebLayers Center, a product of governance software vendor WebLayers Inc., to provide governance and compliance for its XML, Web services and service-oriented architecture systems. The DoD will use the product to govern distributed UDDI registries to ensure that all published XML artifacts comply with the DoD enterprise policies. Continue Reading
-
News
24 Mar 2005
WebLayers unveils SOA governance tool
Weblayers recently unveiled a new tool to help companies effectively govern and ensure interoperability in SOA deployments. WebLayers Center 2.0, which focuses on the design and development process, provides governance policies for auditing and conformance; it also provides active enforcement through an SOA management console. Continue Reading
-
News
23 Mar 2005
Infravio to manage mainframe Web services
Infravio, a provider of Web services management software, allied with mainframe integration vendor GT Software on Monday. A new, integrated product offering will allow customers to use Infravio's Web services management suite to manage GT Software's Ivory mainframe-generated Web services. Continue Reading
-
News
23 Mar 2005
nLayers gives SOAs more InSight
Management appliance vendor nLayers last week announced improvements to its InSight product, including automatic application and infrastructure discovery. The updates to Insight 3.0 take a federated approach to the common configuration management database, allowing it to access system management repositories. Continue Reading
-
News
23 Mar 2005
Web services 'Grind' under load testing
In this tutorial, Jim Alateras examines Grinder, a load test framework for Web services. Using JUnit test cases and test scripts written in the Jython scripting language, he demonstrates how to load test a Web service on Grinder. Continue Reading
-
News
16 Mar 2005
IBM harnesses Web services standard for BPM
IBM is working to align and integrate Common Base Events (CBE) into its business process management capabilities. CBE, a component of the recently ratified Web Services Distributed Management standard, provides a common way of representing log information from different systems to make it easier to locate and isolate a business process problem. Continue Reading
-
News
16 Mar 2005
WebLayers provides SOA governance to developers, CIOs
WebLayers launched on Tuesday its WebLayers Center Version 2.0. The product suite includes enterprise-wide policy definition, configuration and management. It also features governance capabilities through active dashboards, which provide up-to-date compliance information and impact analysis reports Continue Reading
-
News
15 Mar 2005
Tracking a SOA's movements
In this article, David Linthicum examines various techniques for logging events and messages exchanged in a service-oriented architecture. He examines simple logging to track information flows and more sophisticated techniques such as message warehousing which can track the state for long-term, durable business transactions. Continue Reading
-
News
10 Mar 2005
OASIS standardizes Web services management
OASIS on Wednesday approved the Web Services Distributed Management (WSDM) specification as a standard. WSDM enables management applications to be built using Web services, allowing resources to be controlled by many managers through a single interface. Continue Reading
-
News
22 Feb 2005
SOA management market to reach $200 million in 2005
Reflecting on the recent results of a SOA management market survey , Phil Wainewright of Loosely Coupled predicts the SOA management market to reach close to $200 million in 2005. The report found that most early SOA production projects have been entrusted to small, specialist firms such as Actional, Amberpoint and Digital evolution, but the report also predicts that BEA, HP and IBM will make a big impact on the SOA management market once they release products in this space. Continue Reading
-
News
15 Jul 2004
Eclipse plans new testing platform
The Eclipse Foundation is expected to announce a project at LinuxWorld to develop an open source tools testing platform, which is an infrastructure where test and performance tools can be built. Intel, SAP, Compuware and others are involved. Continue Reading
-
News
24 Feb 2004
New VMware server trims app-testing cycle
Virtual machine vendor VMware's new GSX server stops server sprawl in Linux and Windows shops and has features that cut down application-testing times. Continue Reading
-
News
03 Dec 2003
Simple strategies for securing and monitoring WS
There are some relatively simple steps that organizations can take to secure and monitor most of their Web services. One of the easiest is to set up a mutual SSL. However, abuses can still occur, so enterprises also need to deploy a monitoring tool to help them "see" the identity of the clients accessing each of their Web services. Continue Reading
-
News
03 Dec 2003
OASIS approves UBL 1.0 beta for testing
The OASIS standards body has released a test version of the Universal Business Language, which is described as a royalty-free library of XML-based e-business documents. Jon Bosak, head of the OASIS panel working on the draft standard, said that UBL 1.0 "is intended to be the starting point for a standard markup language for basic business documents like purchase orders and invoices." Continue Reading