with Security, sometimes Sacrifies need to be made.

Static Code Analysis for the Enterprise

Tonight I gave a presentation to the local chapter of ISSA concerning Static Code Analysis (SCA) in an Enterprise environment.  The Static Code Analysis for the Enterprise presentation is not about how to technically perform SCA but rather what considerations need to be met in order to successfully accomplish building and maintaining a SCA program in […]

High Volume Automated Testing in Security Testing

Yesterday I gave a presentation at the Workshop on Teaching Software Testing 2013 focusing on High Volume Automated Testing.  The goal was to introduce some of the test techniques (and terminology) which are used in security testing to the practitioners and educators involved in software testing.  The following was cross posted on the WTST website. […]

SQLi and Requirements Traceability (FISMA)

An important but often tedious part of completing a security testing engagement is writing the report.  When compiling the report, assembling and assigning traceability between identified vulnerabilities or weaknesses and security controls/requirements can be difficult to perform consistently. This will be the first in a series of posts on assisting in maintaining traceability between identified […]

News Flash! Testers Say More Testing is Needed.

There are two organizations which have provided me with formalized training to perform security testing; initially it was through the SANS Institute where I completed a number of their classes and passed a number of certifications and then more recently through the Black Box Software Testing (BBST) course from the Florida Institute of Technology with […]

Spacecoast ISSA Meeting Presentation on SQLi

Earlier this month I provided a presentation on SQL Injection to the Spacecoast chapter of ISSA.  The slides are SQL Injection (SQLi) v2 and the corresponding MindMap is SQLi MindMap. It covers the definitions/types of SQLi, the source of SQLi, evasion techniques, manual test techniques, computer assisted testing (e.g. sqlmap), lastly the the presentation covers […]