Is Software Security a Feature? Is Security Vulnerability a Bug?

Previous page
Table of content
Next page

By now you've hopefully come to the conclusion that software security can be viewed as simply another feature of a software product or system. Most people probably don't want their personal financial data made public by a hacker. They would consider their spreadsheet software's ability to keep that information private a necessary feature. That feature is one that would go toward making the software a good quality product (remember our discussion of quality versus reliability in Chapter 3, "The Realities of Software Testing"?) If the software "failed" and allowed a hacker to see personal bank balances and credit card info, most users would consider that a software bug, pure and simple.

REMINDER

It's a good idea, here, to reiterate our definition of a bug from Chapter 1, "Software Testing Background":

  1. The software doesn't do something that the product specification says it should do.

  2. The software does something that the product specification says it shouldn't do.

  3. The software does something that the product specification doesn't mention.

  4. The software doesn't do something that the product specification doesn't mention but should.

  5. The software is difficult to understand, hard to use, slow, orin the software tester's eyeswill be viewed by the end user as just plain not right.

And, to revisit our discussion of test-to-pass and test-to-fail from Chapter 5, "Testing the Software with Blinders On."

When you test-to-pass, you really only ensure that the software minimally works. You don't push its capabilities. You don't see what you can do to break it. You treat it with kid gloves, applying the simplest and most straightforward test cases.

After you assure yourself that the software does what it's specified to do in ordinary circumstances, it's time to put on your sneaky, conniving, devious hat and attempt to find bugs by trying things that should force them outtest-to-fail.


As a software tester, you may be responsible for testing the software's overall security or you may just be responsible for testing that your assigned features are secure. No matter, you'll need to consider all five definitions of a bug. You won't necessarily be given a product specification that explicitly defines how software security is to be addressed in your software. Nor will you be able to assume that the threat model is complete and accurate. For these reasons, you'll need to put on your "test-to-fail" hat and attack the software much like a hacker wouldassuming that every feature has a security vulnerability and that it's your job to find it and exploit it.

TIP

Testing for security bugs is a test-to-fail activity and one that will often cover areas of the product that haven't been completely understood or specified.



    Previous page
    Table of content
    Next page
    Software Testing
    Lessons Learned in Software Testing
    ISBN: 0471081124
    EAN: 2147483647
    Year: 2005
    Pages: 233
    Authors: Cem Kaner, James Bach, Bret Pettichord
    BUY ON AMAZON
    Agile Project Management: Creating Innovative Products (2nd Edition)
    The .NET Developers Guide to Directory Services Programming
    SQL Hacks
    PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
    Service-Oriented Architecture (SOA): Concepts, Technology, and Design
    PMP Practice Questions Exam Cram 2
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy