Web application security has a broad scope that spans from network communication to browser behaviors to backend applications and finally to database servers. Validating security of all these components can be a daunting task and take a considerable effort. Penetration is the most prevalent testing method used today for validating web application security. The question is, “does it cover all the basis?” Penetration testing is a black-box type testing that a QA engineer applies from the hacker’s perspective. While it provides a comfort level, it does not ensure that the application has been developed with security in mind and that it meets the three basic requirements of security namely, Confidentiality, Integrity, and Availability (CIA). The CIA framework builds intrinsic security and thus ensures an increased confidence level. This framework should be complemented with the penetration testing.

This talk focuses on how to align the security validation of a web application with the three basic elements of security namely, Confidentiality, Integrity, and Availability (CIA). The test effectiveness can be achieved by analyzing the requirements of each element and identifying the potential breaches that can compromise each element. The efficiency should be built by relating these breaches with the known OWASP Top 10 and other vulnerabilities and, leveraging that knowledge to identify the testing approach - static and dynamic throughout the SDLC.


Bhushan Gupta is a Principal consultant at Gupta Consulting LLC., Bhushan Gupta is passionate about development methods and tools that yield more secure web applications especially in the agile software development environment. As a researcher, he has a keen interest in understanding and applying fundamental principles and known methodologies to develop dependable and secure software solutions. His interests extend to Social Engineering and Attack Surface Analysis. Bhushan worked at Hewlett-Packard for 13 years in various roles including software quality lead, engineer, software process architect, and software productivity manager. He then developed a strong interest in web application security while working as a quality engineer for Nike Inc. Bhushan has been studying various facets of web application security and promoting how to apply common sense approach to build secure solutions. He is a certified Six Sigma Black Belt (HP and ASQ) and an adjunct faculty member at the Oregon Institute of Technology in Software Engineering. To learn more about Bhushan’s contributions to SDLC, visit www.bgupta.com


Vaibhav Gupta


Starts at Saturday February 24 2018, 01:00 PM. The sessions runs for about 1 hour.