Testing Techniques to Find the Sin

Code review is best, but you can also try to attack the application to make it fail just to see the error messages. You should also use and misuse the application as a nonadmin and see what information the application divulges.

For validating the practicality of timing attacks, it will generally require dynamic testing. But it also requires a reasonable understanding of statistics. Were not going to cover that here, but we will refer you to Dan Bernsteins work on cryptographic timing attacks (see the Other Resources section).

The Stolen Laptop Scenario

For grins and giggles, you should emulate the stolen laptop scenario. Have someone use the application youre testing for a few weeks, then take the computer and attempt to view the data on it using various nefarious techniques, such as:

  • Booting a different OS

  • Installing a side-by-side OS setup

  • Installing a dual boot system

  • Attempting to log on using common passwords



19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net