Title :
Software security testing
Author :
Potter, Ben ; McGraw, Gary
Author_Institution :
Booz, Allen & Hamilton Inc., USA
Abstract :
Testing software security is a commonly misunderstood task. Done properly, it goes deeper than simple black-box probing on the presentation layer (the sort performed by so-called application security tools) - and even beyond the functional testing of security apparatus. Testers must use risk-based approaches, grounded in both the system´s architectural reality and the attacker´s mindset, to gauge software security adequately. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on areas of code in which an attack is likely to succeed. This approach provides a higher level of software security assurance than is possible with classical black-box testing.
Keywords :
program testing; risk analysis; security of data; attacker mindset; risk-based approaches; software security testing; system architecture; Computer errors; Computer security; Data security; Performance evaluation; Risk analysis; Risk management; Software performance; Software testing; System testing; Timing; black-box testing; software development cycle;
Journal_Title :
Security & Privacy, IEEE
DOI :
10.1109/MSP.2004.84
