- Reconnaissance: Identify the target
- Probe: Identify the list of touchpoints that have the potential for exploitation
- Exploit: The entry points to the target
- Stealth: Conceal your identity
Security on developerWorks
Kane Scarlett 270002Y2HJ Tags:  testing penetration_testing ethical_hacking application-security security 8,486 Views
In a concise read, independent expert M. Tim Jones details the generalized hacking process which he calls a "plan in evolution" that "beging with a goal and ... results in options and subsequently exploits over those options to gain access to a system." The process consists of
Jones doesn't leave it there, though: He flips the scenario on its head and demonstrates how to use these techniques to prevent vulnerability exploits. He explains how you can use both the hacking process and penetration testing to shore up weak spots in your security wall.
CalvinPowers 120000A09D Tags:  testing sdlc security appscan application-security 10,640 Views
We recently published "Static and dynamic testing in the software development life cycle" on the developerWorks security zone. This article has a pretty good survey of a bunch of different IBM and open source security testing tools. The article lays them out against the software development lifecycle so you can see which phase of the SDLC each one is appropriate for. Stop by and let us know your thoughts? Which tools do you rely on the most. Which ones should we add?
Kane Scarlett 270002Y2HJ Tags:  ibm-security static_testing testing application_development application-security security open_source dynamic_testing 9,942 Views
Independent expert M. Tim Jones takes you on a tour of testing your applications for security capabilities during the development and verification phase, focusing on code that you can touch, test, and inspect manually, as well as code that is perfect for automated review and inspection while under execution. In other words, static and dynamic analyses (plus another type of dynamic testing that goes by several names: vulnerability scanning, network reconnaissance, and penetration testing). In the following image, Jones outlines the different approaches and tools (as a function of the phase in the software life cycle) you can use to secure applications:
In this excellent and quick read, Jones then outlines open source and proprietary tools you can use to take some of the sting out of setup and testing applications during development.