Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.

Slides:



Advertisements
Similar presentations
1 Software Testing and Quality Assurance Lecture 13 - Planning for Testing (Chapter 3, A Practical Guide to Testing Object- Oriented Software)
Advertisements

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
UNIX Chapter 01 Overview of Operating Systems Mr. Mohammad A. Smirat.
Why Security Testing Is Hard Herbert H. Thompson Presenter: Alicia Young.
Software Testing and Quality Assurance
(c) 2007 Mauro Pezzè & Michal Young Ch 10, slide 1 Functional testing.
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.
Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.
09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.
Testing - an Overview September 10, What is it, Why do it? Testing is a set of activities aimed at validating that an attribute or capability.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
Secure Software Development Chris Herrick 01/29/2007.
System Testing There are several steps in testing the system: –Function testing –Performance testing –Acceptance testing –Installation testing.
Testing for Software Security ECEN5053 Software Engineering of Distributed Systems University of Colorado, Boulder Testing for Software Security, Hebert.
Chapter 1: Introduction to Software Testing Software Testing
Information Systems Security Computer System Life Cycle Security.
ANTICLICK: INCREASING DESKTOP SECURITY Jason Petrey Computer Electronic Networking Dept. of Technology Eastern Kentucky University.
Honeypot and Intrusion Detection System
Computer Security and Penetration Testing
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Introduction to Software Testing Chapter 9.1 Challenges in Testing Software – Testing for Emergent Properties: Safety and Security Paul Ammann & Jeff Offutt.
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Testing Basics of Testing Presented by: Vijay.C.G – Glister Tech.
Testing Workflow In the Unified Process and Agile/Scrum processes.
1 CS 501 Spring 2002 CS 501: Software Engineering Lecture 23 Reliability III.
Nathaniel S. Good Aaron Krekelberg Usability and privacy: a study of Kazaa P2P file- sharing.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
1 Introduction to Software Testing. Reading Assignment P. Ammann and J. Offutt “Introduction to Software Testing” ◦ Chapter 1 2.
Week 14 Introduction to Computer Science and Object-Oriented Programming COMP 111 George Basham.
CSCE 201 Secure Software Development Best Practices.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
By Godwin Alemoh. What is usability testing Usability testing: is the process of carrying out experiments to find out specific information about a design.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
Software Quality Assurance and Testing Fazal Rehman Shamil.
JavaScript 101 Introduction to Programming. Topics What is programming? The common elements found in most programming languages Introduction to JavaScript.
Software Security CSE 545 – Software Security Spring 2016 Adam Doupé Arizona State University
Whole Test Suite Generation. Abstract Not all bugs lead to program crashes, and not always is there a formal specification to check the correctness of.
OPERATING SYSTEMS (OS) By the end of this lesson you will be able to explain: 1. What an OS is 2. The relationship between the OS & application programs.
CS223: Software Engineering Lecture 25: Software Testing.
Application & System Development Security Part 1.
Topic 2: Hardware and Software
SE-1021 Software Engineering II
Security of Digital Signatures
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
PREPARED BY G.VIJAYA KUMAR ASST.PROFESSOR
Testing Tutorial 7.
Security Testing Methods
Security Issues Formalization
Software Security Testing
SOFTWARE TESTING OVERVIEW
Software Testing An Introduction.
A Security Review Process for Existing Software Applications
Software Testing.
Verification & Validation
High Coverage Detection of Input-Related Security Faults
Software Security Slide Set #10 Textbook Chapter 11 Clicker Questions
TYPES OF TESTING.
Chapter 7 Software Testing.
Presentation transcript:

Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez

Overview  Introduction  Side-effect behavior  The state of security testing  The need for techniques  The need for tools  Conclusion  Q & A

Introduction  Software testing has become pretty good at verifying requirements  Many types of bugs escape testing  Testers make test cases for correctness, not absence of additional behavior

Side-effect behavior  Typical functional test –Apply input A –Look for presence of result B  What if the application also performs action C?  Example: RDISK utility in Windows NT 4.0

Side-effect behavior cont.

The state of security testing  Security testing traditionally referred to executing a suite of scripted tests that represent known exploits  Problem = finds old vulnerabilities, not new ones  This technique actually works because developers make the same mistakes  Recently there has been an increasing level of security awareness

The need for techniques  Key to success is extracting techniques to find bugs instead of translating them into scripted test cases  Study conducted by Thompson and Whittaker –What fault would have caused this vulnerability? –What were the failure symptoms that should have alerted a tester to the vulnerability’s presence?

Techniques cont. –What testing technique would find this vulnerability?  4 general classes of testing techniques: 1.Dependencies 2.Unanticipated user input 3.Techniques to expose design vulnerabilities 4.Techniques to expose implementation vulnerabilities

Dependency failures  Software operates in a highly codependent environment  2 security issues are of concern: 1.Application might inherit insecurities 2.External resource that provides some security service to an application might become unavailable or fail

Unanticipated user input  Some inputs can cause undesirable side effects and require special testing attention  Most notorious side effect: buffer overflow  Applications might not consider characters and character combinations that the application could interpret as commands

Design insecurities  Many security vulnerabilities are designed into an application –i.e. test instrumentation added for testing purposes  Many applications are released with these instrumentations  These interfaces can bypass security controls to allow easy testing

Implementation insecurities  Imperfect implementation can make even the most perfect designs insecure  Specifications can outline security meticulously and yet be implemented in a way that causes insecurity  i.e. man-in-the-middle attack

The need for tools  The software community desperately needs tools that address the peculiarities of security vulnerabilities and bring their symptoms into plain view during development and testing  Able to not only monitor for side effects and environmental interactions but manipulate them as well

Conclusion  Security testing must change  We must apply new methods into practice if we ever hope to ship secure code with confidence

Q & A  If you have any questions just pretend you’re me and answer yourself.  Just remember, if there aren’t any questions we can go home faster!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.