4.3 Security Testing a .NET Application

Previous page
Table of content
Next page

As we stated in Chapter 1, security testing is unlike ordinary application testing the security tester looks for ways to subvert the security of an application prior to its deployment. Effective security testing can significantly reduce the number of security defects in an application and can highlight flaws in the application design. We offer the following advice to assist you in security testing applications:

  • Play the part of the employee. Do not limit your simulated attacks to those you expect a hacker to make be sure to determine if it is possible for a disgruntled employee to subvert the application security. Employees are usually assigned more trust in an application security model, which can sometimes provide easier routes of attack.

  • Test beyond the application itself. Your testing should include attacks on the system on which the application depends, including database, directory, and email servers. In the case of .NET, you should also see if you can subvert your application via an attack on the runtime components. Poor configuration or a poor understanding of security functionality can often provide an avenue for an attack that can subvert the application indirectly.

  • Test beyond the application design. Do not fall into the trap of simply testing to ensure that the application design has been correctly implemented; this is functional testing, and it does not offer many insights into security failures.

  • Monitor trends in general attack strategies. Expand your range of simulated attacks by monitoring the way real attacks are performed. Your customers may furnish you with descriptions of attacks they have seen, and you can learn from the way other applications and services are attacked.

There is a growing awareness of the value in security testing, and tools have started to emerge to assist in the testing process. The first generation of tools are focused on testing the configuration of an application and the .NET runtime, but work is in progressing on more complex software that will automate applying common types of attack. See the Microsoft .NET home page for information about .NET testing tools in general and some links to security-testing tools.


Previous page
Table of content
Next page
Programming. NET Security
Programming .Net Security
ISBN: 0596004427
EAN: 2147483647
Year: 2005
Pages: 346
Authors: Adam Freeman, Allen Jones
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Network Security Architectures
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy