CSCE 548 Secure Software Development Risk-Based Security Testing.

Slides:

Advertisements

Similar presentations

Chapter 12 Prototyping and Testing Design of Biomedical Devices and Systems By Paul H. King Richard C. Fries.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Chapter 4 Quality Assurance in Context

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

© Prentice Hall CHAPTER 9 Application Development by Information Systems Professionals.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.

Introduction to Software Testing

What Exactly are the Techniques of Software Verification and Validation A Storehouse of Vast Knowledge on Software Testing.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

SEC835 Database and Web application security Information Security Architecture.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Managing Software Quality

Software Quality Assurance Lecture #8 By: Faraz Ahmed.

Secure Software Development Risk-Based Security Testing Chapter 7 Rasool Jalili & A. Boorghani Dept. of Computer Engineering Spring 2012.

1 Software Testing (Part-II) Lecture Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.

A Framework for Automated Web Application Security Evaluation

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

Based on D. Galin, and R. Patton.  According to D. Galin  Software quality assurance is:  A systematic, planned set of actions necessary to provide.

CSCE 548 Secure Software Development Test 1 Review.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

Software testing basic. Main contents  Why is testing necessary?  What is testing?  Test Design techniques  Test level  Test type  How to write.

Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.

SOFTWARE TESTING Scope of Testing  The dynamic Indian IT industry has always lured the brightest minds with challenging career.

Chapter SIX Implementation, Testing and Pragmatics Making it a reality.

University of Palestine software engineering department Testing of Software Systems Testing throughout the software life cycle instructor: Tasneem.

Jump to first page (C) 1998, Arun Lakhotia 1 Quality Assurance: Reviews and Walkthroughs Arun Lakhotia University of Southwestern Louisiana Po Box

CSCE 522 Secure Software Development Best Practices.

1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,

CS551 - Lecture 5 1 CS551 Lecture 5: Quality Attributes Yugi Lee FH #555 (816)

CSCE 522 Secure Software Development Best Practices.

Security Development Life Cycle Baking Security into Development September 2010.

CSCE 548 Secure Software Development Security Operations.

Verification of FT System Using Simulation Petr Grillinger.

CSCE 201 Secure Software Development Best Practices.

CSE 303 – Software Design and Architecture

Software Testing and Quality Assurance 1. What is the objectives of Software Testing?

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

Thomas L. Gilchrist Testing Basics Set 3: Testing Strategies By Tom Gilchrist Jan 2009.

Test Plan: Introduction o Primary focus: developer testing –Implementation phase –Release testing –Maintenance and enhancement o Secondary focus: formal.

Software Quality Assurance and Testing Fazal Rehman Shamil.

Software Engineering Lecture 8: Quality Assurance.

Reverse Engineering Dept. of I&CT, MIT, Manipal. Aspects To Be Covered Introduction to reverse engineering. Comparison between reverse and forward engineering.

By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.

SOFTWARE TESTING SOFTWARE TESTING Presented By, C.Jackulin Sugirtha-10mx15 R.Jeyaramar-10mx17K.Kanagalakshmi-10mx20J.A.Linda-10mx25P.B.Vahedha-10mx53.

What is a software? Computer Software, or just Software, is the collection of computer programs and related data that provide the instructions telling.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

 System Requirement Specification and System Planning.

CSCE 548 Secure Software Development Penetration Testing.

CSCE 548 Secure Software Development Security Operations

Tool Support for Testing

SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.

CSCE 548 Secure Software Development Risk-Based Security Testing

Lecture 3 Prescriptive Process Models

Security Testing Methods

Software Security Testing

CSCE 548 Secure Software Development Use Cases Misuse Cases

Software Security ITGD 2202 Supervision:- Assistant Professor

Complexity Time: 2 Hours.

CSCE 548 Secure Software Development Test 1 Review

Introduction to Software Testing

Thursday’s Lecture Chemistry Building Musspratt Lecture Theatre,

Chapter 27 Security Engineering

Software Verification and Validation

Presentation transcript:

CSCE 548 Secure Software Development Risk-Based Security Testing

CSCE Farkas2 Reading This lecture: – Risk-Based Security Testing, McGraw: Chapter 7 Next lecture: – Security Operations, McGraw: Chapter 9

CSCE Farkas3 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

CSCE Farkas4 Software Testing Running a program or system with the intent of finding errors Evaluating capability of the system and determining that its requirements are met Physical processes vs. Software processes Testing purposes – To improve quality – For Verification & Validation (V&V) – For reliability estimation

CSCE Farkas5 Quality Assurance External quality: correctness, reliability, usability, integrity Interior (engineering) quality: efficiency, testability, documentation, structure Future (adaptability) quality: flexibility, reusability, maintainability

CSCE Farkas6 Correctness Testing Black box: – Test data are derived from the specified functional requirements without regard to the final program structure – Data-driven, input/output driven, or requirements-based – Functional testing – No implementation details of the code are considered

CSCE Farkas7 Correctness Testing White box: – Software under test are visible to the tester – Testing plans: based on the details of the software implementation – Test cases: derived from the program structure – Glass-box testing, logic-driven testing, or design-based testing

CSCE Farkas8 Performance Testing Goal: bottleneck identification, performance comparison and evaluation, etc. Explicit or implicit requirements "Performance bugs" – design problems Test: usage, throughput, stimulus-response time, queue lengths, etc. Resources to be tested: network bandwidth requirements, CPU cycles, disk space, disk access operations, memory usage, etc.

CSCE Farkas9 Reliability Testing Probability of failure-free operation of a system Dependable software: it does not fail in unexpected or catastrophic ways Difficult to test

CSCE Farkas10 Security Testing Test: finding flaws in software can be exploited by attackers Quality, reliability and security are tightly coupled Software behavior testing – Need: risk-based approach using system architecture information and attacker’s model

CSCE Farkas11 Risk-Based Testing Identify risks Create tests to address identified risks Security testing vs. penetration testing – Level of approach – Timing of testing

CSCE Farkas12 Penetration Testing Performed after the software is completed – Evaluate operational environment – Dynamic behavior Outside  in activity – defending perimeters Cursory

CSCE Farkas13 Security Testing Can be applied before the product is completed Different levels of testing (e.g., component/unit level vs. system level) Testing environment Detailed

CSCE Farkas14 Risk Analysis Design phase analysis: – Identify and rank risks – Discusses inter-component assumptions Component/unit testing – Test for: Unauthorized misuse of and access to the target assets Violations of assumptions – Breaking system into a number of discrete parts – Risk can be mitigated within the bounds of contextual assumptions

CSCE Farkas15 System-Level Testing Focus on the properties of the integrated software system Penetration testing = Security testing Using data flow diagrams, models, and inter-component documentations, identify – Inter-component failures – Design level security risks Use misuse cases to enhance test plan

CSCE Farkas16 Behavior in the Presence of Malicious Attack What happens when the software fails? – Safety critical systems Track risk over time Security relative to – Information and services protected – Skills and resources of adversaries – Cost of protection System vulnerabilities

CSCE Farkas17 Vulnerabilities Design-level – Hardest to detect – Prevalent and critical – Requires great expertise to detect – hard to automate Implementation specific – Critical – Easier to detect – some automation

CSCE Farkas18 Security Testing Functional security testing: testing security mechanisms for functional capabilities Adversarial security testing: risk-based security testing – Understanding and simulating the attacker’s approach Both approaches must be used Security attacks may ignore the security mechanism to exploits of the software defects

CSCE Farkas19 Who Should Perform the Test? Standard testing organizations – Functional testing Software security professionals – Risk-based security testing – Important: expertise and experience

CSCE Farkas20 How to Test? White box analysis – Understanding and analyzing source code and design – Very effective finding programming errors – Can be supported by automated static analyzer – Disadvantage: high rate of false positives Black box analysis – Analyze a running program – Probe the program with various input (malicious input) – No need for any code – can be tested remotely

CSCE Farkas21 Malicious Input Software: takes input Trust input? – Malformed or malicious input may lead to security compromise – What is the input? Data vs. control Attacker toolkit

CSCE Farkas22 What Else? Testing for malicious input: necessary but NOT sufficient Risk-based security testing – Planning tests (use forest-level view) – Need operational aspects System state vs. applications used Multithread system – time-based attacks

CSCE Farkas23 Next Class Security Operations