Issue No. 05 - September-October (2004 vol. 2)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2004.84
Gary McGraw , Cigital
Bruce Potter , BAH
Security testing has recently moved beyond the realm of network port scanning to include probing-software?s behavior as a critical aspect of system behavior. Unfortunately, testing software security is a commonly misunderstood task. Security testing done properly goes deeper than simple black-box probing on the presentation layer (the sort performed by so-called application security tools)-even beyond the functional testing of security apparatuses. Testers must use a risk-based approach, grounded in both the system?s architectural reality and the attacker?s mindset, to adequately gauge software security. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on those areas of code in which an attack will succeed. This approach provides a higher level of software security assurance than possible with classical black-box testing.
software development cycle, black-box testing
B. Potter and G. McGraw, "Software Security Testing," in IEEE Security & Privacy, vol. 2, no. , pp. 81-85, 2004.