|
DEVELOPER
-
tasked with fixing cross-site vulnerabilities
Your testers found several cross-site vulnerabilities
and you are tasked with fixing them. You are
familiar with cross-site scripting, but don't
know much about it or how to write code that
prevents your application from being vulnerable
to attack.
Solution:
After gaining a
good understanding
of what cross-site scripting is, you want to
learn how to prevent it:
-
conduct another search: "How do I prevent
cross-site scripting?"
-
the “How to Prevent Cross-Site
Scripting in ASP.NET” article offers
you more technical and remedial information
including:
- steps to ensure the vulnerability is fixed properly
- source code samples to ensure code is implemented securely
- recommended external resources that have been vetted
by our experts
TESTER #1 - looking to provide more
helpful bug reports to developers
You understand that security is an issue at
your company and want to help improve the
situation. More specifically, you want to
attach value-added guidance to the bug reports
to help your developers fix cross-site
vulnerabilities better.
You gained some great baseline knowledge
but are now interested in how the hackers
do it:
-
conduct the same search but apply the
"Attacks" filter to narrow down your search
to testing techniques
-
click on/read
the "cross-site scripting attack"
article, which offers the following
information:
- potential impact this vulnerability can have
- attacks you can conduct that will uncover this
vulnerability
- how to
know if your attack was successful
Lastly, you want to attach guidance to your bug report:
-
return to the
main search page, which persists your
previous query
-
uncheck
"Attack" and check "Implementation"
in the Phase pivot
-
select the “Question – What is XSS
and how do I protect my app from it” article
-
conduct another filter,
this time you are seeking "How to"
guidance
-
select the “How to Prevent Cross-Site
Scripting in ASP.NET” article
-
both pieces of
information are very useful, so you attach
both links to the bug report
TESTER #2 - trying
to understand the most critical vulnerabilities
out there and looking for a good frame of
reference like the OWASP "top ten" list
-
browse the
various TeamMentor "views"
(collection of
guidance items that are complimentary, but may
be difficult to "group" via individual
searches)
-
select the "OWASP Top Ten" View.
Each vulnerability in the OWASP top ten is
included
-
drill further into the specific
vulnerabilities that are of most interest to you; in this
case, Injection Flaws because your
application is particularly vulnerable to
them
-
since you
develop in Java, you'll want to
filter on that technology to get the
most relevant guidance
QA
- tester that wants to learn
more about the security aspects of testing
This is an easy task with TeamMentor's
Pivots, which allow users to search on content
specific to a technology, phase of the
development lifecycle, guidance type, etc.
-
select "Test" from the Phase pivot
options. This reduces the results to
just those that help you as a tester do your job
-
all this information is helpful, but
you're
really looking for implementation guidance
versus general information, so you refine your search to
contain only “How To” articles
-
you are particularly interested in
Buffer Overflows because of the real danger
they present, so you click on “How to test
for Buffer Overflow bugs" article which
offers:
- a step by step progression of how to
test for this type of vulnerability
- in
depth examples and code samples
- internal and external
resources.
DEVELOPMENT
MANAGER
- wanting
a centralized, trusted repository of
information/guidance for entire team
As Development Manger, you are tasked with
ensuring that your team has a repeatable and
effective secure development process. You want
to make sure all the information that your
team is accurate - and it needs to be easy to read, edit
and refer to.
Your team has some good information already, but
it is scattered all over the network. Your goal is to pull in
all that information into one location so that
everything is searchable, sort able, and accessible to everybody on your team.
Here's how TeamMentor can help you:
-
rollout
immediately with little to no ramp up time or
disruption to existing process
- unlike other security resources like a
reference guide or book, or the millions of web
sites that offer guidance regardless of
their technical competency, TeamMentor
provides accurate, up-to-date, just-in-time guidance
only when your team needs it
-
Easy to integrate existing content.
The TeamMentor Author makes it easy to
import Word and other documents and will
persist formatting options from most authoring
tools whether that’s a wiki article, webpage or
.pdf.
-
Customizable. TeamMentor
Author allows users to create their own
content, libraries, and views as they see
fit. This is beneficial as you'll want
to include information specific to your
technology, policies, etc.
-
Flexible. TeamMentor
content is available as XML so it can be
easily integrated into your existing
Guidance System if you'd prefer
PROGRAM
MANAGER
- looking to integrate
security into your product requirements
As a Program Manager, you realize that you
need to start integrating security into your requirements
gathering - but
don't really know where to start. We’ll use TeamMentor’s innovative Pivot
filter system to quickly find the
information we need.
-
since you are
designing a web application
and looking for baseline information,
select "Web Application" in
the Technology pivot, "Design" in the
Phase pivot and "Guideline" in the Type
pivot
-
this filtering will reduce your search
results to very specific guidance, so you
don't waste your time figuring out what is
applicable to you
-
you can now spend a short amount of time
reading these guidance items and will
quickly be able to refer to them directly in your
requirements
-
now that you
have a strong understanding of how to write
security requirements for a web application,
you can drill down into the lower-level
details of specific security
activities like "How to Centralize Input
Validation"
CORPORATE/INFORMATION
SECURITY
- looking
to:
-
quickly and confidently roll out
secure development standards
-
document use of secure development
best practices for compliance and audits
-
integrate existing development
standards into TeamMentor
TeamMentor provides secure software
development standards right of the box.
The content is vetted by security
professionals so you can be confident
that your development teams are
leveraging a repeatable and secure
process for software development.
If you already have existing
standards, you can leverage TeamMentor
to consolidate all your disparate
guidance into a central location and
take advantage of it's powerful search
and integration capabilities.
|
TRY
IT
Download