ISSUE #45 - January 28, 2018
We covered security risks in the last issue, and will continue the topic into security testing.
Quality vs security. Some questionable statements there such as “quality is binary – the software either works or it doesn’t”, but good links to resources on weaknesses. Mentions fuzz testing as a useful technique to find security holes.
What it’s like to be a bug hunter in the security space:
Yelp’s public bug bounty program finds some hard-to-find critical security vulnerabilities, while the earlier private program weeded out the common ones:
Automating security acceptance tests in a BDD framework, using OWASP ZAP:
Security patterns in web apps, and a Rails specific tool called SPACE (Security PAttern CheckEr) that promises to find bugs if the developer defines a lightweight mapping from code to patterns:
DIY pen testing:
OWASP mobile security testing guide defines itself as a comprehensive manual and certainly is, with sections on general code quality and cryptography in mobile apps, common attacks, memory corruption bugs, auth architectures, network communication testing, and specifics of Android and iOS. It is, in a word, amazing, well maintained and current.
If you need to test HTTPS clients implementing the common TLS encryption protocol, Yelp gives you tlspretense-service tool, and Netflix open sourced bettertls which specifically targets name constraints for HTTPS clients:
Security Monkey is another tool from Netflix, this one monitors AWS changes and alerts on security problems, also released for Google Cloud Platform:
An interesting take on the limitations of Chaos Engineering:
If you received this email directly then you’re already signed up, thanks! Else if this newsletter issue was forwarded to you and you’d like to get one weekly, then you can subscribe at http://testersdigest.mehras.net
If you come across content worth sharing, please send me a link at firstname.lastname@example.org