Testing

Previous page
Table of content
Next page

After successful unit and integration testing as part of the development cycle, the testers should already have completed their test cases and been exposed to development builds of the code. Now the testers will execute all functional and nonfunctional test cases. In particular, we will pay close attention to the security testing team. This team has the responsibility for performing security testing of the system, both white box and black box testing. Like our developers, these security testers will be hand-picked, dedicated to the security testing, and appropriately trained and mentored.

White Box Testing

The white box test team will perform white box or full knowledge testing of the system. They will examine the code, the configuration, and the environment for potential security vulnerabilities. They will make use of a variety of tools such as source code analyzers and debuggers to perform automated source code analysis, probing for security vulnerabilities.

Black Box Testing

In parallel to white box testing, a team of testers needs to be dedicated for black box or zero knowledge testing. These testers do not get to see the code or the configuration. They approach the application as a hacker would, probing for weaknesses to exploit using a variety of techniques and tools. There is a multitude of such tools out there, including the infamous SATAN (Security Administrator Tool for Analyzing Networks). These tools help probe the perimeter security, the host environment, and the application layers.

For our use case scenario, we used different tools to scan for network vulnerabilities that allow scanning our host and the application itself. The type of tool depends upon the type of testing. You can find anything from freeware port scanners to high-end enterprise tools with integrated reporting capabilities. The decision on which tools to use depends on how much you are willing to spend, how often they will be used, and the knowledge of the tool possessed by the test team.

Table 14-5 is a brief list of various black box tools for probing hosts, networks, and applications.

Table 14-5. Sample Black Box Testing Tools

Black Box Testing Tools

SATAN

http://www.fish.com/satan

Foundstone Enterprise

http://www.foundstone.com

Internet Scanner

http://www.iss.com

ITS4

http://www.cigital.com/its4/


Our black box testing revealed an input parameter attack on our rewards payment page. This vulnerability opens up the application to a cross-site scripting attack. This was sent back to the designer who analyzed the risk and decided to have one of the security developers make a fix.

The security developer was able to quickly implement a fix by updating the Intercepting Validator's validation rules. Once it was unit tested, it was sent back to testing. Further testing revealed no significant holes and therefore turned the code over for deployment.



Previous page
Table of content
Next page
Core Security Patterns. Best Practices and Strategies for J2EE, Web Services, and Identity Management
Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management
ISBN: 0131463071
EAN: 2147483647
Year: 2005
Pages: 204
Authors: Christopher Steel, Ramesh Nagappan, Ray Lai
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
ERP and Data Warehousing in Organizations: Issues and Challenges
Lotus Notes and Domino 6 Development (2nd Edition)
Software Configuration Management
Cisco IOS Cookbook (Cookbooks (OReilly))
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy