It has been a wonderful experience working towards this certification with your training program, and I would give a very high recommendation to any future users. 

-Kay Stanley, CivicPlus






February 2017

Newsletter Issue 56



Seven Steps to Reducing Software Security Risks 



Next month, RBCS will roll out its latest course, our ISTQB Advanced Security Tester training.  We have helped clients improve their testing practices, including security testing, for almost a quarter century, so you can trust us that this course-like all of our courses-is based on years of practical experience. In honor of this milestone, we have revised a classic article that describes a stepwise, risk-based process for reducing software security risks.  Enjoy!



-Rex Black



If you are a software tester, programmer, or manager, you probably know that developing secure software is no longer simply desirable-it's completely essential. 


Some might assume that most security problems arise from the operating system or networking layers, well below the application code they are working on.  However, figures for Web-based applications show that over three-quarters of security exploits arose from applications (see Table 1).[1]


So, you know you need secure code, but how to get there? What are your security risks?  What security failures and bugs do you have?  What do these security risks, failures, and bugs mean?  How can you reduce security risk in a way that doesn't create new problems?  How do you monitor my progress over time?  This article will outline seven steps that will allow you to answer these and other questions as you improve your software's security.


Exploited Vulnerability

Percent Occurrence

Server Applications


Non-Server Applications


Operating System Issues


Hardware Issues


Communication Protocol Issues




Network and Protocol Stack Issues


Encryption Issues


Table 1: Occurrence of Security Exploits by Vulnerability


Assess the Risks

Applications tend to have characteristic security risks.  These risks often arise from the implementation technology.  For example, C and C++ are notorious for their lack of inherent array range checking, and consequent buffer-overflow bugs, which allow hackers to insert malicious code into very long input strings.  People writing applications with databases have to worry about SQL injection, where hackers put queries into otherwise-benign fields and gain access to sensitive data.


Security risks can also arise from the business application domain.  For example, since they deal in money, banking applications are attractive targets for criminals and a major source of worry for bank IT departments.  Applications that store personal information, such as medical history, are subject to regulations like HIPAA that require strict privacy controls.


Risk awareness is the first step in risk reduction.  Companies have been reluctant to let outsiders know about the security failures they've had, but some of their failures make the news, and users report others.  For example, the Open Web Application Security Project,, provides good information for those developing Web applications, as does the World Wide Web Consortium's security page,  Carnegie-Mellon's Software Engineering Institute's CERT Coordination Center,, provides a broader look at computer security issues.  Last but not least, check out the searchable Risk Digest archives,, for great anecdotes and commentary on software risks, including security-related risks.


In addition to being aware of the failures, you need to be aware of the underlying bugs themselves.  Depending on the kind of applications you're writing, you'll want to read appropriate books and Web sites for hints on common insecure coding constructs and how to avoid them.  For example, searching for books on "secure programming" in any online bookseller will yield dozens of books, some general, some quite specific.


Once you are aware of the kinds of security risks that could affect your software, do a security risk analysis.  Identify the specific risk items that you should be aware of.  Meet with stakeholders to determine the level of risk in terms of likelihood and impact.  Likelihood relates to the chances of any given risk becoming an actual security bug in your software.  Impact relates to the effect on customers, users, and your software should the bug be exploited.  Your analysis of the risks and their associated levels of risk will allow you to create a prioritized list of potential security failures.[2]


[1]   Figures from the Open Web Application Security Project Web site,

[2]   I describe the process of risk analysis in my book Managing the Testing Process, 3e.


Copyright © 2006-2017, RBCS, All Rights Reserved


To enjoy this article in it's entirety today click here!





April 25-26, 2017

Noon to 3:30 PM CDT

via GoToWebinar





RBCS and imbus Canada Announce Training Partnership in Canada


RBCS, Inc. and imbus Canada are pleased to announce that imbus Canada is now an exclusive RBCS licensee of some of the most sought after certification and software testing courses.  Over the next few months, imbus Canada will deliver highly acclaimed certification courses in live, e-learning, and virtual formats.  


Visit imbus Canada within the next two months to see which courses have been made accessible to you by imbus Canada, a top tier, world-class training provider!



Complimentary Webinars


Did you miss the complimentary webinar, "Psychopolitics of Test Management" on January 11, 2017? Check out what you missed!



Webinar attendees are automatically entered into a drawing to win their choice of one of our green e-learning courses. Congratulations, Jeffrey Mumford, attendee of the January webinar, for being selected as the winner of an e-learning course. 


Register now for our next complimentary webinar, "Fully Leveraging Agile Test Automation" on March 29, 2017.


Shop all scheduled upcoming complimentary webinars and sign up today!




Complimentary Resources


Do you follow us on Twitter or Facebook, or subscribe to the RBCS YouTube channel?  If you're on LinkedIn, are you connected with Rex Black? Rex posts insights, free resources, and links to interesting stuff in those spots pretty much every day. Here's how to find us:




RBCS Software Testing Training Schedule

Visit our website to learn more about our public training courses, e-learning courses, or virtual instructor-led courses.


Our 2017 schedule is now posted! If you have a request for public training in your city and can guarantee a minimum of 5 people in attendance, contact us. We will be happy to schedule a course on your home turf!


All RBCS courseware can also be delivered privately, onsite, at your organization. Contact us for pricing and to schedule.


Register for your public training at the RBCS Marketplace today!





Like us on Facebook

Follow us on Twitter

View our videos on YouTube

View our profile on LinkedIn


+1 830.438.4830 |  |