The document discusses software security testing. It defines software security testing as testing that aims to uncover vulnerabilities in a system and ensure data and resources are protected from intruders. The document then describes common security measures, approaches to security testing including functional and risk-based methods, and how security processes can be integrated into the software development lifecycle. It outlines how security testing is relevant at various stages including requirements, design, coding, integration, and system testing.

1. Software Security Testing
Presented By:
Name:Neha Bansal
Mtech(ISSE)

2. Table of Contents
 Software security measures
 What is software security?
 Why security testing?
 Approaches to software security testing
 Security models
 Integration of security model in SDLC
 Conclusion

3. Software Security measures
Security testing takes the following six measures to provide a secured
environment:
 Confidentiality - It protects against disclosure of information to
unintended recipients.
 Integrity - It allows transferring accurate and correct desired
information from senders to intended receivers.
 Authentication - It verifies and confirms the identity of the user.
 Authorization - It specifies access rights to the users and
resources.
 Availability - It ensures readiness of the information on
requirement.
 Non-repudiation - It ensures there is no denial from the sender or
the receiver for having sent or received the message.

4. What is software security Testing?
 Security Testing is a type of software testing that intends to
uncover vulnerabilities of the system and determine that its
data and resources are protected from possible intruders.
 It states that a system meets its security requirements and to
identify and minimize the number of vulnerabilities before
the software goes into production.
 It ensures the software being tested is robust and continues
to function in presence of a malicious attack.

5. Why Security Testing
 For Finding Loopholes
 For Zeroing IN on Vulnerabilities
 For identifying Design Insecurities
 For identifying Implementation Insecurities
 For identifying Dependency Insecurities and Failures
 For Information Security
 For Process Security
 For Internet Technology Security
 For Communication Security
 For Improving the System
 For confirming Security Policies

6. Approach to Software Security Testing
 Study of Security Architecture
 Analysis of Security Requirements
 Classifying Security Testing
 Developing Objectives
 Threat Modeling
 Test Planning
 Execution
 Reports

7. Security Methods
Two common methods foe testing are:
 Functional security testing
 Risk-based security testing

8. Functional security testing
 It ensures that software behaves as specified and the requirements
defined are satisfied at an acceptable level.
 It states that when a specific thing happens, then the software should
respond in a certain way. It starts when software is ready to test.
 It address with positive requirements.
 Some functional testing techniques are:
 Ad-hoc testing and exploratory testing
 Specification-based and model based testing.
 State based testing
 Robustness and fault based testing
 Code based testing
 Control flow testing

9. Risk based testing
 Risk based testing address with negative requirements which
states that what a software system should not do.
 It can encompass high level as well as low level risk in a
software.
 Test for negative requirements
 Use past experience
 Use of attack patterns

10. Integration of security processes with the SDLC
 If we postpone security testing after software implementation phase or
after deployment. So, it is necessary to involve security testing in SDLC
life cycle in the earlier phases.

11. SDLC Phases Security Processes
Requirements Security analysis for requirements and check abuse/misuse cases
Design Security risks analysis for designing. Development of test plan
including security tests
Coding and Unit Testing Static and Dynamic Testing and Security white box testing
Integration Testing Black Box Testing
System Testing Black Box Testing and Vulnerability scanning
Implementation Penetration Testing, Vulnerability Scanning
Support Impact analysis of Patches

12. Software security in different phases
 During the requirement phase test planning focus on how
each requirement can and will be tested.
 Security risk analysis starts from this phase.
 Risk find in this phase can be reduced by a feature called
mitigation of those risks.
 After this secure design and code phase is conducted which
includes security risk analysis for design and coding.
 The role of security testing in test phase is given as:

13. Unit testing
 In this individual classes, methods, functions are tested.
 White box testing is used to validate design decisions and
assumptions and finding errors.
 It requires how to think like an attacker and how to use
different testing tools for that.

14. Integrated testing
 It focuses on a collection of subsystems,which may contain
many executable components.
 Many errors can occur when the components interact with
each other.
 Integration error are the most common sources of
unchecked input values.
 It is important to determine the which data flows and control
flows can and can not influenced by a potential attacker.

15. System Testing
It includes
 stress testing:Software performs differently when it is under
stress.It is common target of an attacker so it is important to
consider early.
 Black-box testing:It focues on the visible behavior of software
like API’s.It include the network security,database security
amd web application security.
 Penetration Testing:It allows project managers to assess how
an attacker is likely to try subvert the system. It refers to
testing the computer security by compromise its security.

16. Conclusion
 Analysis the definition of Software security testing.
 Approaches of security testing.
 Why and how to implement security testing in each phase of
SDLC.
 Hence software security testing is important part of software
development.

17. Thank You

18. Any Question?