Chapter 13. Testing for Software Security

IN THIS CHAPTER

• WarGamesthe Movie

• Understanding the Motivation

• Threat Modeling

• Is Software Security a Feature? Is Security Vulnerability a Bug?

• Understanding the Buffer Overrun

• Using Safe String Functions

• Computer Forensics

It seems as though a day doesn't go by without a news story about yet another computer security issue. Hackers, viruses, worms, spyware, backdoors, Trojan horses, and denial-of-service attacks have become common terms. Even average computer users have been impacted beyond the nuisance level, losing important data and valuable time restoring their systems after an attack. A January 14, 2005, story in the LA Times by Joseph Menn, titled, "No More Internet for Them," reveals that many people have had enough. They're frustrated, angry, and they are "plugging out"disconnecting their computers from the Internet in an effort to regain control of their PCs. That's not a good sign for the health and growth of the computer industry.

For these reasons, software security is on every programmer's mind (or at least it should be if she wants to stay employed) and is touching all aspects of the software development process. Software testing has yet another area to be concerned with, and this chapter will give you an introduction to this important and timely topic.

Highlights of this chapter include

• Why someone would want to break into a computer

• What types of break-ins are common

• How to work with your design team to identify security issues

• Why software security problems are nothing more than software bugs

• What you, as a software tester, can do to find security vulnerabilities

• How the new field of computer forensics is related to software security testing