Security Testing
Printed From: One Stop Testing
Category: Types Of Software Testing @ OneStopTesting
Forum Name: Security Testing @ OneStopTesting
Forum Discription: Discuss All that is need to be known about Security Testing, All Security Issues and its Tools.
URL: http://forum.onestoptesting.com/forum_posts.asp?TID=89
Printed Date: 30Dec2024 at 9:05pm
Topic: Security Testing
Posted By: Riya
Subject: Security Testing
Date Posted: 17Feb2007 at 10:59am
Security testing
Security testing has recently moved beyond the realm of network port scanning to include probing software behavior as a critical aspect of system behavior (see the sidebar). Unfortunately, testing software security is a commonly misunderstood task. Securitytesting done properly goes deeper than simple black-box probing on thepresentation layer (the sort performed by so-called application securitytools)—and even beyond the functional testing of security apparatus.Testers must use a risk-based approach,grounded in both the system’sarchitectural reality and the attacker’s mindset, to gauge softwaresecurity adequately. By identifying risks in the system and creating testsdriven by those risks, a software security tester can properly focus onareas of code in which an attack is likely to succeed. This approach providesa higher level of software security assurance than possible withclassical black-box testing.What’s so different about security?Software security is about making software behave in the presence of amalicious attack, even though in the real world, software failures usuallyhappen spontaneously—that is, without intentional mischief. Notsurprisingly, standard software testing literature is only concerned withwhat happens when software fails,regardless of intent. The differencebetween software safety and software security is therefore the presence ofan intelligent adversary bent on breaking the system.Security is always relative to the information and services being protected,the skills and resources of adversaries, and the costs of potentialassurance remedies; security is an exercise in risk management. Riskanalysis, especially at the design level, can help us identify potential securityproblems and their impact.1Once identified and ranked, softwarerisks can then help guide software security testing.A vulnerability is an error that an attacker can exploit. Many types ofvulnerabilities exist, and computer security researchers have created taxonomiesof them.2 Security vulnerabilities in software systems rangefrom local implementation errors (such as use of the gets() functioncall in C/C++), through interprocedural interface errors (such as arace condition between an access control check and a file operation),to much higher design-level mistakes (such as error handling and recoverysystems that fail in an insecure fashion or object-sharing systemsthat mistakenly include transitive trust issues). Vulnerabilities typicallyfall into two categories—bugs at the implementation level and flaws atthe design level.3 Attackers generally don’t care whether a vulnerability is due to aflaw or a bug, although bugs tend to be easier to exploit. Because attacksare now becoming more sophisticated, the notion of which vulnerabilitiesactually matter is changing. Although timing attacks, includingthe well-known race condition, were considered exotic just a fewyears ago, they’re common now.Similarly, two-stage buffer overflowattacks using trampolines were once the domain of software scientists, butnow appear in 0day exploits.4.Design-level vulnerabilities arethe hardest defect category to handle, but they’re also the most prevalentand critical. Unfortunately, ascertaining whether a program hasdesign-level vulnerabilities requires great expertise, which makes findingsuch flaws not only difficult, but particularly hard to automate.Examples of design-level problems include error handling in object-oriented systems, object sharing and trust issues, unprotected datachannels (both internal and external), incorrect or missing access controlmechanisms, lack of auditing/logging or incorrect logging, and orderingand timing errors (especially in multithreaded systems). Thesesorts of flaws almost always lead to security risk.Risk management and security testing Software security practitioners performmany different tasks to manage software security risks, including • creating security abuse/misuse cases;• listing normative security requirements;• performing architectural risk analysis;
|
|