Skip to main content.

QASec.com - Software Security Testing in Quality Assurance and Development

Navigation: Home | Links | About | Contact Us |

Site Updates/What's New

The site is now live! This site is a work in progress and I'm essentially going to add new sections/documents to this site monthly until it's completed. Below is a list of the latest changes to the site.

Changes By Date:
* The business case for security frameworks (4/23/07)
* Using Fuzzers in Software Testing (2/2/07)
* Writing Security Test Cases (1/5/07)
* Identifying Risks in the Development Cycle (10/18/06)

Input

This section discusses how to identify application input, and the vulnerabilities associated with specific types of input through negative testing. Things such as Buffer Overflows, Format String Vulnerabilities, and SQL Injection are discussed.

Output

This section discusses how to identify application output, and the vulnerabilities associated with specific types of output through negative testing. Topics such as Cross Site Scripting are discussed.

Runtime Execution

This section discusses common problems encountered while the application is executing. Things such as race conditions, and privilege escalation are discussed.

Secure Deployment

This section discusses how to securely configure your web server, application server, and database server to ensure that your secure applications are deployed correctly. Deploying an app incorrectly can cause new security issues to arise that may not have been tested for during the QA cycle.

About QASec.com

Welcome to QASec.com! Besides traditional testing checking for errors, seeing if the product conforms to the spec'd out requirements, and seeing that it 'just works', it's important to implement security testing into the QA cycle to eliminate potential vulnerabilities before the product goes into production. By identifying and classifying the risks of these security 'bugs' you can reduce the cost of reparing it, as well as reduce public exposure to it.

I've created this site for other Software Testers to read up on how to implement security checking into their cycle. Most of the material that you'll see comes from the Penetration Testing world (Post Production Security Review) although has a unique spin to relate this to professional software testers. As someone who has performed in both duties it is easy to see just how alike Penetration testers,Quality Assurance Engineers, and hackers are in the way they implement 'testing' of an application. All site articles are meant to be short and to the point.