The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.05 - September-October (2004 vol.2)
pp: 81-85
Gary McGraw , Cigital
ABSTRACT
Security testing has recently moved beyond the realm of network port scanning to include probing-software?s behavior as a critical aspect of system behavior. Unfortunately, testing software security is a commonly misunderstood task. Security testing done properly goes deeper than simple black-box probing on the presentation layer (the sort performed by so-called application security tools)-even beyond the functional testing of security apparatuses. Testers must use a risk-based approach, grounded in both the system?s architectural reality and the attacker?s mindset, to adequately gauge software security. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on those areas of code in which an attack will succeed. This approach provides a higher level of software security assurance than possible with classical black-box testing.
INDEX TERMS
software development cycle, black-box testing
CITATION
Gary McGraw, Bruce Potter, "Software Security Testing", IEEE Security & Privacy, vol.2, no. 5, pp. 81-85, September-October 2004, doi:10.1109/MSP.2004.84
5 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool