This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Software Security Testing
September-October 2004 (vol. 2 no. 5)
pp. 81-85
Gary McGraw, Cigital
Security testing has recently moved beyond the realm of network port scanning to include probing-software?s behavior as a critical aspect of system behavior. Unfortunately, testing software security is a commonly misunderstood task. Security testing done properly goes deeper than simple black-box probing on the presentation layer (the sort performed by so-called application security tools)-even beyond the functional testing of security apparatuses. Testers must use a risk-based approach, grounded in both the system?s architectural reality and the attacker?s mindset, to adequately gauge software security. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on those areas of code in which an attack will succeed. This approach provides a higher level of software security assurance than possible with classical black-box testing.
Index Terms:
software development cycle, black-box testing
Citation:
Gary McGraw, Bruce Potter, "Software Security Testing," IEEE Security & Privacy, vol. 2, no. 5, pp. 81-85, Sept.-Oct. 2004, doi:10.1109/MSP.2004.84
Usage of this product signifies your acceptance of the Terms of Use.