Software Security Testing

Gary McGraw; Bruce Potter

doi:10.1109/MSP.2004.84

Security&Privacy
2004
Issue No. 5 - September-October
Abstract - Software Security Testing

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Gary McGraw Articles by Bruce Potter

Software Security Testing

September-October 2004 (vol. 2 no. 5)

pp. 81-85

	ASCII Text	x
	Gary McGraw, Bruce Potter, "Software Security Testing," IEEE Security & Privacy, vol. 2, no. 5, pp. 81-85, September-October, 2004.

	BibTex	x
	@article{ 10.1109/MSP.2004.84, author = {Gary McGraw and Bruce Potter}, title = {Software Security Testing}, journal ={IEEE Security & Privacy}, volume = {2}, number = {5}, issn = {1540-7993}, year = {2004}, pages = {81-85}, doi = {http://doi.ieeecomputersociety.org/10.1109/MSP.2004.84}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Security & Privacy TI - Software Security Testing IS - 5 SN - 1540-7993 SP81 EP85 EPD - 81-85 A1 - Gary McGraw, A1 - Bruce Potter, PY - 2004 KW - software development cycle KW - black-box testing VL - 2 JA - IEEE Security & Privacy ER -

Gary McGraw, Cigital

Bruce Potter, BAH

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2004.84

Security testing has recently moved beyond the realm of network port scanning to include probing-software?s behavior as a critical aspect of system behavior. Unfortunately, testing software security is a commonly misunderstood task. Security testing done properly goes deeper than simple black-box probing on the presentation layer (the sort performed by so-called application security tools)-even beyond the functional testing of security apparatuses. Testers must use a risk-based approach, grounded in both the system?s architectural reality and the attacker?s mindset, to adequately gauge software security. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on those areas of code in which an attack will succeed. This approach provides a higher level of software security assurance than possible with classical black-box testing.

Index Terms:

software development cycle, black-box testing

Citation:

Gary McGraw, Bruce Potter, "Software Security Testing," IEEE Security & Privacy, vol. 2, no. 5, pp. 81-85, Sept.-Oct. 2004, doi:10.1109/MSP.2004.84

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.