Testing Software Security







A secure product is a product that protects the confidentiality,
integrity, and avail...
Understanding the Motivation of
Hacker


The five motives that a hacker might have to gain
access to a system are
–
–
–
–...
Threat Modeling








To look for areas of the product's feature set to
security vulnerabilities.
Choose to make ch...
Threat Modeling
complex system requires comprehensive threat modeling to identify security
vulnerabilities.
Steps of Threat Modeling Process
 Assemble

the threat modeling team
 Identify the Assets.
 Create an Architecture Over...
Testing for Security Bugs







Testing for security bugs is a test-to-fail activity.
Tester won't necessarily be giv...
Testing for Security Bugs







Testing for security bugs is a test-to-fail activity.
Tester won't necessarily be giv...
Upcoming SlideShare
Loading in …5
×

Testing software security

835 views

Published on

Testing software security

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
835
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Testing software security

  1. 1. Testing Software Security     A secure product is a product that protects the confidentiality, integrity, and availability of the customers' information, and the integrity and availability of processing resources, under control of the system's owner or administrator. A security vulnerability is a flaw in a product that makes it infeasible even when using the product properly to prevent an attacker. Hacker:One who uses programming skills to gain illegal access to a computer network or file. As a software tester it's important to understand why someone may want to break into your software. Understanding their intent will aid you in thinking about where the security vulnerabilities might be in the software you're testing.
  2. 2. Understanding the Motivation of Hacker  The five motives that a hacker might have to gain access to a system are – – – – – Challenge/Prestige: when someone breaks into a system purely for the challenge of the task and the prestige Curiosity: The hacker will peruse the system looking for something interesting Use/Leverage: Here the hacker will actually attempt to use the system for his own purpose. Defacing, Destruction, and Denial of Service: Defacing is changing the appearance of a website. Destruction takes the form of deleting or altering of data stored on the system. Denial of service is preventing or hindering the hacked system from performing its intended operation. Steal: intent is to find something of value that can be used or sold. Credit card numbers, personal information, goods and services, even login IDs and email addresses, all have value to the hacker.
  3. 3. Threat Modeling      To look for areas of the product's feature set to security vulnerabilities. Choose to make changes to the product. Spend more effort designing certain features, or concentrate testing on potential trouble spots. Ultimately it will result in a more secure product. Unless everyone on the product development team understands and agrees to the possible threats, your team will not be able to create a secure product.
  4. 4. Threat Modeling complex system requires comprehensive threat modeling to identify security vulnerabilities.
  5. 5. Steps of Threat Modeling Process  Assemble the threat modeling team  Identify the Assets.  Create an Architecture Overview  Decompose the Application.  Identify the Threats.  Document the Threats.  Rank the threats.
  6. 6. Testing for Security Bugs     Testing for security bugs is a test-to-fail activity. Tester won't necessarily be given a product specification that explicitly defines how software security is to be addressed. Nor will he be able to assume that the threat model is complete and accurate. Tester will need to put on "test-to-fail" hat and attack the software much like a hacker would assuming that every feature has a security vulnerability.
  7. 7. Testing for Security Bugs     Testing for security bugs is a test-to-fail activity. Tester won't necessarily be given a product specification that explicitly defines how software security is to be addressed. Nor will he be able to assume that the threat model is complete and accurate. Tester will need to put on "test-to-fail" hat and attack the software much like a hacker would assuming that every feature has a security vulnerability.

×