Adapting Penetration Testing for Software Development Purposes

[weld at vulnwatch.org (Chris Wysopal)]

Ken,

I enjoyed reading your this article.  My book "The Art of Software
Security Testing"  is based on the concept of using penetration techniques
as part of the development lifecycle and is specifically targetted at QA
professionals.  One of my co-authors Elfriede Dustin has written 5 QA
books and assured that the book was accessible to that audience.

There are some free chapters of the book available:


Chapter 3: The Secure Software Development Lifecycle
http://www.devsource.com/article2/0,1895,2055988,00.asp

Charter 4: Risk-Based Security Testing: Prioritizing Security Testing with
Threat Modeling
http://www.prnewswire.com/mnr/veracode/26386/docs/Wysopal_Rev-Chapter%2004.pdf

Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9006870&taxonomyId=17&intsrc=kc_feat

Cheers,

Chris


On Mon, 22 Jan 2007, Kenneth Van Wyk wrote:

> Greetings SC-L folk,
>
> FYI, there's been a wave of new content added to the DHS-funded
> software security portal, Build Security In (home URL is http://
> BuildSecurityIn.us-cert.gov).  Most recently, a couple of articles
> about penetration testing and tools were added (see
> https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/
> penetration/655.html?branch=1&language=1).
>
> (Full disclosure: I'm the author of the pen testing articles, but
> don't let that stop you from grabbing them.  ;-)
>
> All of the articles on the BSI portal are free.
>
> Cheers,
>
> Ken
> -----
> Kenneth R. van Wyk
> SC-L Moderator
> KRvW Associates, LLC
> http://www.KRvW.com