Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005."— Presentation transcript:

1 Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005

2 11/07/2005 2Edward Bonver Software Security Testing Security Testing Dilemma Security testing depends heavily on expertise and experience Security testing depends heavily on expertise and experience Budget and timing constraints Budget and timing constraints QA is usually under pressure to complete the “feature test sets” (i.e. functional testing) (QA resources) QA is usually under pressure to complete the “feature test sets” (i.e. functional testing) (QA resources)

3 11/07/2005 3Edward Bonver Software Security Testing “Choose Any Two…” Cost Security Usability

4 11/07/2005 4Edward Bonver Software Security Testing Reactive vs. Proactive Most defensive mechanism which “provide security” on the market do little to address the heart of the problem, which is bad security Most defensive mechanism which “provide security” on the market do little to address the heart of the problem, which is bad security They operate in reactive mode They operate in reactive mode Instead, in order to increase the levels of assurance of software security, we (software organizations, QA) need to be proactive Instead, in order to increase the levels of assurance of software security, we (software organizations, QA) need to be proactive

5 11/07/2005 5Edward Bonver Software Security Testing Software Development Life Cycle, With Security In Mind

6 11/07/2005 6Edward Bonver Software Security Testing Security Training Security Kickoff & Register with SWI Security Design Best Practices Security Arch & Attack Surface Review Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Feature Lists Quality Guidelines Arch Docs Schedules Design Specifications Testing and Verification Development of New Code Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates RequirementsDesignImplementationVerificationRelease Support & Servicing Threat Modeling Functional Specifications Traditional Microsoft Software Product Development Lifecycle Tasks and Processes Source: Microsoft PDC 2005 Microsoft’s Security Deployment Lifecycle Tasks and Processes

7 11/07/2005 7Edward Bonver Software Security Testing What’s So Different About Security? “Software security is about making software behave correctly in the presence of a malicious attack.” “Software security is about making software behave correctly in the presence of a malicious attack.” “The difference between software safety and software security is therefore the presence of an intelligent adversary bent on breaking the system.” “The difference between software safety and software security is therefore the presence of an intelligent adversary bent on breaking the system.”

8 11/07/2005 8Edward Bonver Software Security Testing Intended Versus Implemented Software Behavior in Applications Most security bugs lay in the areas of the figure beyond the circle, as side effects of normal application functionality Most security bugs lay in the areas of the figure beyond the circle, as side effects of normal application functionality Source: Herbert H. Thompson, Security Innovation

9 11/07/2005 9Edward Bonver Software Security Testing Security Risk Analysis — It’s All Relative… Information and services being protected Skills and resources of the adversaries Costs of potential assurance remedies

10 11/07/2005 10Edward Bonver Software Security Testing Conclusion There is an absolute need for software security testing There is an absolute need for software security testing Software security testing should be done proactively, and should be embedded into the software life development cycle Software security testing should be done proactively, and should be embedded into the software life development cycle Software security testing is not easy – requires time, resources, experience and expertise Software security testing is not easy – requires time, resources, experience and expertise

11 11/07/2005 11Edward Bonver Software Security Testing References “Software Security Testing”, Gary McGraw, Bruce Potter, IEEE Security & Privacy, September/October, 2004, pp. 81-85 “Software Security Testing”, Gary McGraw, Bruce Potter, IEEE Security & Privacy, September/October, 2004, pp. 81-85 “Why Security Testing Is Hard”, Herbert H. Thompson, IEEE Security & Privacy, July/August, 2003, pp. 83-86 “Why Security Testing Is Hard”, Herbert H. Thompson, IEEE Security & Privacy, July/August, 2003, pp. 83-86

12 11/07/2005 12Edward Bonver Software Security Testing Questions ? ? ? ? ? ? Go easy on me, too!

Download ppt "Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005."

Similar presentations

HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC2012 8 Nov 2012 Haifa, Israel.

HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC Nov 2012 Haifa, Israel.
H28.1 6-Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.

H Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.
Building More Secure Applications Dave Glover Developer Solutions Specialist Microsoft Australia Blog:

Building More Secure Applications Dave Glover Developer Solutions Specialist Microsoft Australia Blog:
12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.

12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.

August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Project Life Cycle SDLC (Software Development Life Cycle) WDLC (Web Development Life Cycle)

Project Life Cycle SDLC (Software Development Life Cycle) WDLC (Web Development Life Cycle)
Requirements Structure 2.0 Clark Elliott Instructor With debt to Chris Thomopolous and Ali Merchant Original Authors.

Requirements Structure 2.0 Clark Elliott Instructor With debt to Chris Thomopolous and Ali Merchant Original Authors.
School of Computing, Dublin Institute of Technology.

School of Computing, Dublin Institute of Technology.
Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.

Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
Chapter 2- Software Process Lecture 4. Software Engineering We have specified the problem domain – industrial strength software – Besides delivering the.

Chapter 2- Software Process Lecture 4. Software Engineering We have specified the problem domain – industrial strength software – Besides delivering the.
Stoimen Stoimenov QA Engineer QA Engineer SitefinityLeads,SitefinityTeam6 Telerik QA Academy Telerik QA Academy.

Stoimen Stoimenov QA Engineer QA Engineer SitefinityLeads,SitefinityTeam6 Telerik QA Academy Telerik QA Academy.
CBIIT Quality Assurance Process Preston Wood NCI CBIIT Government Quality Representative (GQR) January 2014 RS.

CBIIT Quality Assurance Process Preston Wood NCI CBIIT Government Quality Representative (GQR) January 2014 RS.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
MSDN Webcast - SDL Process. Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security

MSDN Webcast - SDL Process. Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security
Test Driven Development using Visual Studio Team System Ariel Gur-Arieh VP R&D – MCD Software Solutions

Test Driven Development using Visual Studio Team System Ariel Gur-Arieh VP R&D – MCD Software Solutions
Effective Methods for Software and Systems Integration

Effective Methods for Software and Systems Integration
Process: A Generic View n A software process  is a roadmap to building high quality software products.  provides a framework for managing activities.

Process: A Generic View n A software process  is a roadmap to building high quality software products.  provides a framework for managing activities.

Similar presentations

Ads by Google