Herbert H. Thompson
ABSTRACT
Traditional Black box software testing can be effective at exposing some classes of software failures. Security class failures, however, do not tend to manifest readily using these techniques. The problem is that many security failures occur in stressed environments, which appear in the field, but are often neglected during testing because of the difficulty to simulate these conditions. Software can only be considered secure if it behaves securely under all operating environments. Hostile environment testing must thus be a part of any overall testing strategy. This paper describes this necessity and a black box approach for creating such environments in order to expose security vulnerabilities.
- Bowden, T.;. Segal, M., "Remediation of Application-Specific Security Vulnerabilities at Runtime", IEEE Software, Vol. 17, No. 5, pp. 59-67, September/October 2000. Google Scholar
Digital Library
- Houlihan, P., "Targeted software fault insertion," Proceedings of STAR EAST 2001 (Software Testing Analysis and Review), Software Quality Engineering, Inc., Orlando FL, 2001.Google Scholar
- Richter, J., Programming Applications for Microsoft Windows, Microsoft Press, 1997. Google ScholarDigital Library
- Viega, J. and McGraw, G., Building Secure Software, Addison-Wesley, 2001.Google Scholar
- Viega, J.; Kohno, T.; Potter, B., "Trust (and Mistrust) in Secure Applications", Communications of the ACM, Vol. 44, No. 2, pp. 31-36, February 2001. Google ScholarDigital Library
- Voas, J. and McGraw, G., Software fault injection: inoculating programs against errors, Wiley, NY, 1998. Google ScholarDigital Library
- Whittaker, J., "Software's invisible users," IEEE Software, Vol. 18, No. 3, pp. 84-88 (2001). Google ScholarDigital Library
Index Terms
- Software security vulnerability testing in hostile environments
Recommendations
Software security vulnerabilities: baselining and benchmarking
SEAD '18: Proceedings of the 1st International Workshop on Security Awareness from Design to DeploymentThe security of a company's software products is of paramount importance, of course, and arguably even more important than software reliability and the other key quality attributes. But companies are currently faced with a troublesome dilemma: Supplying ...
Security Engineering Approach to Support Software Security
SERVICES '10: Proceedings of the 2010 6th World Congress on ServicesAs information security and privacy become increasingly important to organizations, the demand grows for software development processes that assure information integrity, availability, and confidentiality. Unfortunately, despite the investments made in ...
Testing for Software Vulnerability Using Environment Perturbation
DSN '00: Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)We describe a methodology for testing a software system for possible security flaws. Based on the observation that most security flaws are caused by the program's inappropriate interactions with the environment, and triggered by user's malicious ...
Comments