2. Table of Contents
Software security measures
What is software security?
Why security testing?
Approaches to software security testing
Security models
Integration of security model in SDLC
Conclusion
3. Software Security measures
Security testing takes the following six measures to provide a secured
environment:
Confidentiality - It protects against disclosure of information to
unintended recipients.
Integrity - It allows transferring accurate and correct desired
information from senders to intended receivers.
Authentication - It verifies and confirms the identity of the user.
Authorization - It specifies access rights to the users and
resources.
Availability - It ensures readiness of the information on
requirement.
Non-repudiation - It ensures there is no denial from the sender or
the receiver for having sent or received the message.
4. What is software security Testing?
Security Testing is a type of software testing that intends to
uncover vulnerabilities of the system and determine that its
data and resources are protected from possible intruders.
It states that a system meets its security requirements and to
identify and minimize the number of vulnerabilities before
the software goes into production.
It ensures the software being tested is robust and continues
to function in presence of a malicious attack.
5. Why Security Testing
For Finding Loopholes
For Zeroing IN on Vulnerabilities
For identifying Design Insecurities
For identifying Implementation Insecurities
For identifying Dependency Insecurities and Failures
For Information Security
For Process Security
For Internet Technology Security
For Communication Security
For Improving the System
For confirming Security Policies
6. Approach to Software Security Testing
Study of Security Architecture
Analysis of Security Requirements
Classifying Security Testing
Developing Objectives
Threat Modeling
Test Planning
Execution
Reports
7. Security Methods
Two common methods foe testing are:
Functional security testing
Risk-based security testing
8. Functional security testing
It ensures that software behaves as specified and the requirements
defined are satisfied at an acceptable level.
It states that when a specific thing happens, then the software should
respond in a certain way. It starts when software is ready to test.
It address with positive requirements.
Some functional testing techniques are:
Ad-hoc testing and exploratory testing
Specification-based and model based testing.
State based testing
Robustness and fault based testing
Code based testing
Control flow testing
9. Risk based testing
Risk based testing address with negative requirements which
states that what a software system should not do.
It can encompass high level as well as low level risk in a
software.
Test for negative requirements
Use past experience
Use of attack patterns
10. Integration of security processes with the SDLC
If we postpone security testing after software implementation phase or
after deployment. So, it is necessary to involve security testing in SDLC
life cycle in the earlier phases.
11. SDLC Phases Security Processes
Requirements Security analysis for requirements and check abuse/misuse cases
Design Security risks analysis for designing. Development of test plan
including security tests
Coding and Unit Testing Static and Dynamic Testing and Security white box testing
Integration Testing Black Box Testing
System Testing Black Box Testing and Vulnerability scanning
Implementation Penetration Testing, Vulnerability Scanning
Support Impact analysis of Patches
12. Software security in different phases
During the requirement phase test planning focus on how
each requirement can and will be tested.
Security risk analysis starts from this phase.
Risk find in this phase can be reduced by a feature called
mitigation of those risks.
After this secure design and code phase is conducted which
includes security risk analysis for design and coding.
The role of security testing in test phase is given as:
13. Unit testing
In this individual classes, methods, functions are tested.
White box testing is used to validate design decisions and
assumptions and finding errors.
It requires how to think like an attacker and how to use
different testing tools for that.
14. Integrated testing
It focuses on a collection of subsystems,which may contain
many executable components.
Many errors can occur when the components interact with
each other.
Integration error are the most common sources of
unchecked input values.
It is important to determine the which data flows and control
flows can and can not influenced by a potential attacker.
15. System Testing
It includes
stress testing:Software performs differently when it is under
stress.It is common target of an attacker so it is important to
consider early.
Black-box testing:It focues on the visible behavior of software
like API’s.It include the network security,database security
amd web application security.
Penetration Testing:It allows project managers to assess how
an attacker is likely to try subvert the system. It refers to
testing the computer security by compromise its security.
16. Conclusion
Analysis the definition of Software security testing.
Approaches of security testing.
Why and how to implement security testing in each phase of
SDLC.
Hence software security testing is important part of software
development.