Posts

How I'm Translating QA Test Planning to Security Test Cases

Image
  My tech writing led to manual QA testing and now I’m transitioning into offensive security. When I was doing manual QA testing there was some overlap with security testing, however, solid security testing includes threat-informed testing . This means reasoning about: ·        what to attack and ·        why I translated my QA testing background into a security threat matrix. I learned what went right, what went wrong, and I was introduced to threat modeling frameworks which provide a more structured approach to identifying and tackling security risks. Why Should Security Testing Be Its Own Thing? QA asks “does it work as designed?” I created test plans to ensure that features and software follow requirements and I hunted for issues. My findings were mainly for devs to fix bugs, errors, defects, etc. Now how do I prepare to test if someone wants to take advantage of vulnerabilities in the software? This is the secu...
Post a Comment
Read more

Frameworks of Defense: A Quick Look at Key Threat Modeling Frameworks

Image
  What are threat modeling frameworks? They are structured methodologies we can use to help us identify, categorize, and mitigate security risks in: ·        Systems ·        Applications ·        Data flows From these frameworks we can build test plans to think like an attacker so that we can build defenses against them. Key Frameworks There are quite a few frameworks, but here are some key ones:         DFD = Data Flow Diagram Framework Type / Focus Key Idea How It Works (Simplified) Best Use Case STRIDE Threat identification model Categorizes threats using a mnemonic Six threat categories: Spoofing, Tampering, Repudiation, Information Disclosure,  Denial of Service, Elevation of Privilege Analyzing specifi...
Post a Comment
Read more