Chapter 1: General Approach to Security Testing

Overview

Security testing is one of the most technical, time-consuming , yet rewarding areas of software testing. When people think about software testers, they often visualize individuals who use a software program the way the software company anticipates customers will use it. If you area software tester, you know that testers are often responsible for many kinds of testing, including the following types:

• Accessibility testing     Testing that the software is able to be used by people with disabilities

• International testing     Testing that software versions work correctly in other locales, including functionality that might be customized in a locale or how the user interface is displayed in that locale s language

• Performance testing     Testing how fast the software operates

• Upgrade testing     Testing how the new software operates when a previous version is already installed on the customer s machine

• Security testing     Testing the software s ability to withstand attacks

This seems like a lot of testing, but, excluding security, all of these types of testing involve scenarios that legitimate users of the software are likely to encounter. Sometimes the product group making the software will come up with several different types of customers and use scenarios for the product and will test to verify that the product behaves according to the design specification for each customer and scenario combination. Accordingly, it s crucial to understand the issue in each category. For example, for accessibility testing it is helpful for testers to consider that the user might be unable to use the mouse to click buttons . With this knowledge, a tester can verify that all functionality on the menus can be accessed using the keyboard.

Testing the product s functionality in these legitimate use scenarios is important, but it doesn t test whether the product is secure. Security testing is different from all other types of testing. Security testing attempts to find vulnerabilities in the software and to verify whether it s possible for an attacker to misuse the software program for malicious purposes. Some people call security testing negative testing because the tester verifies that bad things don t happen. As it happens, most good security testers are also excellent functionality testers.

A legitimate customer (nonattacker) would not use the product as it is used in many of the scenarios tested during security testing. In the subset of test scenarios that a legitimate user would experience, the security impact of a software flaw might not be realized. For example, a legitimate user might include images in e-mail messages, but testing this functionality doesn t normally help the security tester identify whether a malicious user might employ the feature ”for example, to track recipients of the e-mail message by using the image as a Web beacon . (For more information about Web beacons and tracking a user by using an HTML image, see http://office.microsoft.com/en-us/assistance/HP010440221033.aspx .)

When it comes to security, it doesn t matter who uses the product and how the product is used if a feature or flaw can enable an attacker to compromise users or data. It doesn t matter whether someone is abusing a coding error or using a feature that was designed to perform an insecure behavior. The security tester s job is to uncover these types of bugs .