51Testing软件测试论坛

 找回密码
 (注-册)加入51Testing

QQ登录

只需一步,快速开始

微信登录,快人一步

手机号码,快捷登录

查看: 2427|回复: 0
打印 上一主题 下一主题

[转贴] A Primer in Software Security Testing (Part 3)

[复制链接]

该用户从未签到

跳转到指定楼层
1#
发表于 2006-6-10 22:10:06 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
链接请见:
http://www.logigear.com/newslett ... _testing_part-3.asp

In part 1 and part 2 of this article, I discussed what computer and software security are, how they can be tested, and what targets and assets must be secured and tested. In this third and final part, I'll address the question of who is responsible for security testing, and how they can educate themselves to adequately perform these functions.

So who should own the responsibility for security? Often times, there are several groups of people in an organization who have influence over, or are responsible for, the security issues of an application and the operational infrastructure that supports the product as a whole. Usually, the members of the security-team, mentioned above, are key players from the following functions:

    * Policy makers including information security staff who define security requirements to reasonably ensure user's and producer's confidence in the system's security defenses.
    * Network administrators who design and implement security measures to ensure that the security defense objectives at the operational level are met.
    * Software developers who design and implement security defenses at the application level to ensure that the security requirements are met.
    * Testers who are responsible for testing the Web and software systems to uncover security-related flaws in the design, implementation and configuration, and functional errors introduced in the implementation of security defenses, primarily, at the application level; and secondarily, at the operational level.

The first step toward enabling your organization's software security testing capability is education. Education is a major step in developing a successful security program. Programming, testing, IT teams and other involved staff should all learn and understand the issues we face in information security. The people involved in securing the company-authored applications should constantly learn about existing and new techniques used by hackers to exploit vulnerabilities in software so that appropriate fixes can be made in a timely manner. The test engineers must understand some of the fundamental software security-related bugs such as poor error handling including buffer-overflows, input validation (or lack of it), cross-site scripting and so on, so that they know which bugs to seek out and where to find them. The people involved in securing the live systems should constantly monitor public information sources to learn about existing and new vulnerabilities in third-party applications/servers used in the systems so that:

    * Appropriate responses can be made quickly to minimize damages.
    * Appropriate patches can be applied quickly and patch-testing can be executed to ensure that side-effects are minimal.

To get you started, following are some good sources of security-related information including vendor Web sites, security portals, and security mailing lists.

    * Testing Applications on the Web, second edition by Hung Nguyen, et al., Wiley, 2003
    * How to Break Web Software : Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker, Pearson Addison Wesley; 2003
    * Web Applications (Hacking Exposed) by Joel Scambray, Mike Shema, McGraw-Hill Osborne Media, 2002
    * Writing Secure Code, Second Edition by Michael Howard and David C. LeBlanc, Microsoft, 2002
    * The Top 10 Lists:
      http://www.sans.org/top20/
      http://www.owasp.org/documentation/topten.html
    * The OWASP Guide to Building Secure Web Applications
    * The OWASP Testing Project
    * Other online resources and link pages:
          o Security-related testing link page at Logigear.com
          o BugTraq
          o Security Focus Online
          o CERT/CC Web site
          o RAS Security Web site

To summarize this entire article series, software security testing is the attempt to make sure that your company's assets are protected from both intentional and inadvertent breaches. Security testing is fundamentally different from functional testing, and requires a much broader set of skills and knowledge. While software test engineers should focus testing at the application level only, when performing system security testing, your company must involve people who are responsible for security defense from across the organization, and focus on a broad array of potential targets or vulnerabilities.
分享到:  QQ好友和群QQ好友和群 QQ空间QQ空间 腾讯微博腾讯微博 腾讯朋友腾讯朋友
收藏收藏
回复

使用道具 举报

本版积分规则

关闭

站长推荐上一条 /1 下一条

小黑屋|手机版|Archiver|51Testing软件测试网 ( 沪ICP备05003035号 关于我们

GMT+8, 2024-11-23 21:59 , Processed in 0.070324 second(s), 28 queries .

Powered by Discuz! X3.2

© 2001-2024 Comsenz Inc.

快速回复 返回顶部 返回列表