Security Testing Is Different

Previous page
Table of content
Next page

Security Testing Is Different

Most testing is about proving that some feature works as specified in the functional specifications. If the feature deviates from its specification, a bug is filed, the bug is usually fixed, and the updated feature is retested. Testing security is often about checking that some feature appears to fail. What I mean is this: security testing involves demonstrating that the tester cannot spoof another user's identity, that the tester cannot tamper with data, that enough evidence is collected to help mitigate repudiation issues, that the tester cannot view data he should not have access to, that the tester cannot deny service to other users, and that the tester cannot gain more privileges through malicious use of the product. As you can see, most security testing is about proving that defensive mechanisms work correctly, rather than proving that feature functionality works. In fact, part of security testing is to make the application being tested perform more tasks than it was designed to do. Think about it: code has a security flaw when it fulfills the attacker's request, and no application should carry out an attacker's bidding.

One could argue that functional testing includes security testing, because security is a feature of the product refer to Chapter 2, The Proactive Security Development Process, if you missed that point! However, in this case functionality refers to the pure productivity aspects of the application.

Most people want to hear comments like, Yes, the feature works as designed rather than, Cool, I got an access denied! The latter is seen as a negative statement. Nevertheless, it is fundamental to the way a security tester operates. Good security testers are a rare breed they thrive on breaking things, and they understand how attackers think.

I once interviewed a potential hire and asked him to explain why he's a good tester. His reply, which clinched the job for him, was that he could break anything that opened a socket!

IMPORTANT
Good security testers are also good testers who understand and implement important testing principles. Security testing, like all other testing, is by its nature subject to the tester's experience, expertise, and creativity. Good security testers exhibit all three traits in abundance.

TIP
You should put yourself in a blackhat mindset by reviewing old security bugs at a resource such as http://www.securityfocus.com.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Interprocess Communications in Linux: The Nooks and Crannies
Postfix: The Definitive Guide
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
DNS & BIND Cookbook
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy