Introduction:

1. Providing secure products to the marketplace has become ever increasingly more important for all customers. For this reason, an overall strategy needs to be employed that will provide robust product security. However, robust environments cannot rely on a single control mechanism to ensure a secure environment. Layering multiple security controls provides the best defense against malicious attacks, which provides time for administrators to identify and address security issues as they arise.

2. This paper provides guidance for all development activities with all web based products where security considerations and concerns are identified for their product releases. Examples and possible testing techniques for security issues will be identified and described.

3. To aid in determining the best course of action when analyzing and reacting to security issues, a process flow will be described that can immediately be implemented for finding security flaws.

4. This paper does not cover all possible security risks to any Web Based Application but rather approaches the issues of the most necessary changes given the time constraints of meeting expectations within the industry, our customers and ourselves.

Audience

All those who play any part in the SDLC or is a Stake holder.

The Content

1. Introduction
2. Security Testing during Design Phase
    • Threat Analysis using STRIDE and DREAD Model.
    • Threat Modeling using Microsoft Thread Analysis & Modeling Tool.
3. Security Testing during Implementation phase.
    • Usage of FXCop.
    • Usage of Covarity.
4. Security Testing during Testing phase
    • Usage of Paros Proxy
    • Usage of WebScarab