Software quality assurance and cyber security

Software Quality Assurance and Cyber Security Tariqual Hassan SQA Manager, Nascenia

What is Quality Assurance What is quality? Who we are? Why we are doing IEE Glossary: Degree to which a system, component or process meets specific requirements and customer or user needs or expectations ISO Definition: The totality of features and characteristics of a product or service that beat on it’s ability to satisfy specified or implied needs “Set of systematic activities providing evidence to the ability of software process to produce a software product that is fit to use” by G.Schulmeyer and J.McManus, Software Quality Handbook, Prentice Hall, 1998

Quality Assurance • Quality assurance activities are work process oriented. • They measure the process, identify deficiencies, and suggest improvements. • The direct results of these activities are changes to the process. • These changes can range from better compliance with the process to entirely new processes. • The output of quality control activities is often the input to quality assurance activities. • Audits are an example of a QA activity which looks at whether and how the process is being followed. The end result may be suggested improvements or better compliance with the process.

Quality Control • Quality control activities are work product oriented. • They measure the product, identify deficiencies, and suggest improvements. • The direct results of these activities are changes to the product. • These can range from single-line code changes to completely reworking a product from design. • They evaluate the product, identify weaknesses and suggest improvements. • Testing and reviews are examples of QC activities since they usually result in changes to the product, not the process. • QC activities are often the starting point for quality assurance (QA) activities.

Infamous Quotes by Devs “I know how to code, I can keep up with the design so why you guys are here?”- Devops

Infamous Quotes by Devs “Why should user do this and that? I am designing the system, so they should just use it in my way.”

Infamous Quotes by Devs “Okay it’s very difficult to apply this feature, let’s change it. Users can be convinced later on.”

Infamous Quotes by Devs “I didn’t do it and it’s not my job to fix this. Someone else will fix this.”

Software Development Ecosystem QA: Things need to be done properly. Developers: Things need to be done in any way. PM: I need the product at any cost.

A Formal SQA Process Development Phase Pre-QA Phase (Sanity Test) QA Phase (Smoke Test) Bug Submission Re-Test Phase Integration Test Regression Test Alpha Test Beta Test Release

Software Quality Assurance Warm up Things

Software Quality Assurance Standard Process

QA Test flow path Black Box White Box UX Testing Accessibility Test Security Testing Performance Engineering Deployment Testing UAT User’s feedback Cycle

Popular Process Platform Tools JIRA HP ALM TFS QA Complete

Performance Tool Platform Load Runner Apache Jmeter Blazemeter for distributed load testing Google Chrome Dev tools

Performance Testing Tools Server Side: Client Side: LORI (Life-of-Request Info)

Security Testing Platform for QA E-governance (SAAM V1.0) NIST Protocol Core Security Framework CISSP Concept Checklist framework for QA

QA Infrastructure Test Plan Test Case Traceabi lity Matrix Automati on Report

Test Platform Tool (Example Set) Load Runner Soap UI Ranorex Acunetix

Let’s Talk on Cyber Security

Cyber Security Threats 1. Hacktivism 2. Cyber crime 3. Cyber espionage 4. Cyber war 5. Cyber Terrorism

Cyber Threats in Bangladesh Information source: Report from Threat Intelligence Division BGD e- GOV CIRT

Let’s start by knowing about Malwares

Malwares and their types Malware is software written specifically to harm and infect the host system. Malware includes viruses along with other types of software such as trojan horses, worms, spyware, and adware. Advanced malware such as ransomware are used to commit financial fraud and extort money from computer users.

Virus Virus is a specific type of malware by itself. It is a contagious piece of code that infects the other software on the host system and spreads itself once it is run. It is mostly known to spread when software is shared between computers. This acts more like a parasite.

Adware Adware is also known as advertising-supported software. It is software which renders advertisements for the purpose of generating revenue for its author. The advertisements are published on the screen presented to the user at the time of installation. Adware is programmed to examine which Internet sites, the user visits frequently and to present and feature related advertisements. Not all adware has malicious intent, but it becomes a problem anyway because it harms computer performance and can be annoying.

Spyware This type of malicious software, spies on you, tracks your internet activities. It helps the hacker in gathering information about the victim’s system, without the consent of the victim. This spyware’s presence is typically hidden from the host and it is very difficult to detect. Some spyware like keyloggers may be installed intentionally in an organization to monitor activities of employees.

Worms This type of malware will replicate itself and destroys information and files saved on the host PC. It works to eat up all the system operating files and data files on a drive.

Trojan Trojans are a type of virus that are designed to make a user think they are a safe program and run them. They may be programmed to steal personal and financial information, and later take over the resources of the host computer’s system files. In large systems, it may attempt to make a host system or network resource unavailable to those attempting to reach it. Example: you business network becoming unavailable.

Ransomware Ransomware is an advanced type of malware that restricts access to the computer system until the user pays a fee. Your screen might show a pop-up warning that your have been locked out of your computer and that you can access only after paying the cybercriminal. The cybercriminal demands a ransom to be paid in order for the restriction to be removed. The infamous Cryptolocker is one type of ransomware.

Who are the people utilize those?

How they plot for an attack (High level)

A Breach – Attack View (Example) 1. Attacker scans and attempts exploitation, but fails 2. Attacker utilizes social engineering against a selected population 3. Victim(s) fall for the ruse allowing attacker to enter the environment 4. Attacker leverages user/system access to spread to other systems 5. Attacker consolidates loot (data, passwords, bank access, etc.) 6. Attacker sends data back out of environment

Measure against security threats

OWASP Top 10 Checklists for web development A1:2017-Injection A2:2017-Broken Authentication A3:2017-Sensitive Data Exposure A4:2017-XML External Entities (XXE) A5:2017-Broken Access Control A6:2017-Security Misconfiguration A7:2017-Cross-Site Scripting (XSS) A8:2017-Insecure Deserialization A9:2017-Using Components with Known Vulnerabilities A10:2017-Insufficient Logging & Monitoring

SQL injection prevention (MISC)

Broken authentication prevention

How to find the vulnerabilities in application ?

Adopting a framework for Cyber Security

How government is protecting Cyberspace

CERT and CIRT...The people who defends the cyberspace

Software quality assurance and cyber security

In this document

More Related Content

What's hot

Similar to Software quality assurance and cyber security

More from Nascenia IT

Recently uploaded

Software quality assurance and cyber security