Software Security TestingSoftware Security Testing
bybyGary McGraw, Bruce PotterGary McGraw, Bruce Potter
presented bypresented byEdward BonverEdward Bonver
11/07/200511/07/2005
11/07/2005 2Edward Bonver Software Security Testing
Security Testing DilemmaSecurity Testing Dilemma
Security testing depends heavily on expertise and Security testing depends heavily on expertise and experienceexperience
Budget and timing constraintsBudget and timing constraints
QA is usually under pressure to complete the “feature QA is usually under pressure to complete the “feature test sets” (i.e. functional testing) (QA resources)test sets” (i.e. functional testing) (QA resources)
11/07/2005 3Edward Bonver Software Security Testing
““Choose Any Two…”Choose Any Two…”
CostSecurity
Usability
11/07/2005 4Edward Bonver Software Security Testing
Reactive vs. ProactiveReactive vs. Proactive
Most defensive mechanism which “provide security” Most defensive mechanism which “provide security” on the market do little to address the heart of the on the market do little to address the heart of the problem, which is bad securityproblem, which is bad security
They operate in They operate in reactivereactive mode mode
Instead, in order to increase the levels of assurance of Instead, in order to increase the levels of assurance of software security, we (software organizations, QA) software security, we (software organizations, QA) need to be need to be proactiveproactive
11/07/2005 5Edward Bonver Software Security Testing
Software Development Life Software Development Life Cycle,Cycle,
With Security In MindWith Security In Mind
11/07/2005 6Edward Bonver Software Security Testing
Security Training
Security Kickoff& Register with
SWI
Security DesignBest
Practices
Security Arch & Attack SurfaceReview
Use SecurityDevelopment
Tools &Security BestDev & Test Practices
Create Security
Docsand Tools
For Product
PrepareSecurity
ResponsePlan
Security Push
Pen Testing
FinalSecurity Review
Security Servicing &ResponseExecution
Feature ListsQuality Guidelines
Arch DocsSchedules
DesignSpecifications
Testing and Verification
Development of New Code
Bug Fixes
Code Signing A Checkpoint
Express Signoff
RTM
Product SupportService Packs/QFEs Security
Updates
Requirements Design Implementation Verification ReleaseSupport
&Servicing
ThreatModeling
FunctionalSpecifications
Traditional Microsoft Software Product Development Lifecycle Tasks and ProcessesTraditional Microsoft Software Product Development Lifecycle Tasks and Processes
Source: Microsoft PDC 2005
Microsoft’s Security Deployment Microsoft’s Security Deployment Lifecycle Tasks and ProcessesLifecycle Tasks and Processes
11/07/2005 7Edward Bonver Software Security Testing
What’s So Different About Security?What’s So Different About Security?
““Software security is about making software behave Software security is about making software behave correctly in the presence of a malicious attack.”correctly in the presence of a malicious attack.”
““The difference between software safety and software The difference between software safety and software security is therefore the presence of an intelligent security is therefore the presence of an intelligent adversary bent on breaking the system.”adversary bent on breaking the system.”
11/07/2005 8Edward Bonver Software Security Testing
Intended Versus Implemented Intended Versus Implemented Software Behavior in Software Behavior in
ApplicationsApplications
Most security bugs lay in the Most security bugs lay in the areas of the figure beyond the areas of the figure beyond the circle, as side effects of normal circle, as side effects of normal application functionalityapplication functionality
Source: Herbert H. Thompson, Security InnovationSource: Herbert H. Thompson, Security Innovation
11/07/2005 9Edward Bonver Software Security Testing
Security
Risk Analysis — It’s All Risk Analysis — It’s All Relative…Relative…
Information and servicesbeing protected
Skills and resources ofthe adversaries
Costs of potentialassurance remedies
11/07/2005 10Edward Bonver Software Security Testing
ConclusionConclusion
There is an absolute need for software security There is an absolute need for software security testingtesting
Software security testing should be done proactively, Software security testing should be done proactively, and should be embedded into the software life and should be embedded into the software life development cycledevelopment cycle
Software security testing is not easy – requires time, Software security testing is not easy – requires time, resources, experience and expertiseresources, experience and expertise
11/07/2005 11Edward Bonver Software Security Testing
ReferencesReferences
““Software Security Testing”, Gary McGraw, Bruce Software Security Testing”, Gary McGraw, Bruce Potter, IEEE Security & Privacy, September/October, Potter, IEEE Security & Privacy, September/October, 2004, pp. 81-852004, pp. 81-85
““Why Security Testing Is Hard”, Herbert H. Why Security Testing Is Hard”, Herbert H. Thompson, IEEE Security & Privacy, July/August, Thompson, IEEE Security & Privacy, July/August, 2003, pp. 83-862003, pp. 83-86
11/07/2005 12Edward Bonver Software Security Testing
QuestionsQuestions
? ? ? ? ? ?
• Go easy on me, too!