• No results found

Software Security Testing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Software Security Testing"

Copied!
26
0
0

Loading.... (view fulltext now)

Download now ( 26 Page )

Full text

(1)

Software Security Testing

Elizabeth Sanders

Department of Electrical & Computer Engineering Missouri University of Science and Technology

[email protected]

© 2015 Elizabeth Sanders

(2)

Pop Quiz

• What topics am I covering today?

(3)

Pop Quiz

• What topics am I covering today?

• If you said any of the following then you are correct

– Software Security Testing

• Risk-based Testing

– Static Analysis for Security – Software Penetration Testing

20 November 2015 Software Security Testing 3

(4)

Software Security Development

Overview

• Risk-based security tests

• Static analysis

• Penetration testing

(5)

Software Security Development

Overview

• Risk-based security tests

– Identifying risks in the system and creating tests driven by those risks

– Provides a higher level of software security assurance

• Static analysis

• Penetration testing

20 November 2015 Software Security Testing 5

(6)

Software Security Development

Overview

• Risk-based security tests

• Static analysis

– Tool that scans through a file searching for security vulnerabilities

• Penetration testing

(7)

Software Security Development

Overview

• Risk-based security tests

• Static analysis

• Penetration testing

– Objective is to find security weaknesses that would give access to the computer’s features and data

20 November 2015 Software Security Testing 7

(8)

Risk-Based Security Tests

Introduction

• Identifying risks in the system and creating tests driven by those risks

• Provides a higher level of software security assurance

[PM2004]

(9)

Risk-Based Security Tests

What’s So Different About Security?

• Relative to the information and services being protected

• Risk analysis at the design level

• Vulnerabilities are errors that an attacker can exploit

– Two types of vulnerabilities

• Bugs at the implementation level

• Flaws at the design level

20 November 2015 Software Security Testing 9

(10)

Risk-Based Security Tests

What’s So Different About Security?

• Bugs at the implementation level

– Easy to exploit

• Flaws at the design level

– Hardest defect to handle – Most prevalent and critical

– Flaws almost always lead to security risk

(11)

Risk-Based Security Tests

Security Testing

• Two approaches

– Testing security mechanisms to ensure that their functionality is implemented correctly

– Perform risk-based security tests

20 November 2015 Software Security Testing 11

(12)

Risk-Based Security Tests

How to Approach Security Testing

• Who should do security testing?

– Someone who has experience

– They have to think like an attacker

• How

– White-box testing

• Analyzing and understanding source code and the design

• Very effective at finding programming errors

– Black-box testing

• Analyzing a running program by probing it with various inputs

• If you are able to break the program then there is a security problem

(13)
(14)

Static Analysis for Security

Overview

• Catching implementation bugs early

• Aim for good, not perfect

• Approaches to static analysis

[CM2004]

(15)

Static Analysis for Security

Catching Implementation Bugs Early

• Used to identify common code errors automatically before a program is released

• Static analysis tools

– used to examine the text of a program without attempting to execute it

– Much faster than manual auditing

– Can be applied before the program is completed

20 November 2015 Software Security Testing 15

(16)

Static Analysis for Security

Aim for Good… Not Perfect

• Static Analysis can’t solve all of the problems

– It only looks for a set of patterns or rules in the code

• Example

– If a rule hasn’t been written yet to find a problem – Then, the tool will never find that problem

• Rice Theorem

– Static analysis problems are undecidable in the worst case

(17)

Static Analysis for Security

Approaches to Static Analysis

• Utility Grep

– Uses a list of good search strings

– But it doesn’t understand anything about the files it scans

• Lexical Analysis tools

– Uses ITS4, FlawFinder, and RATS

• Which do the steps of a compiler

• then match the results against a library

• Abstract Syntax Tree (AST)

– Understand the basic semantics of the program

20 November 2015 Software Security Testing 17

(18)

Static Analysis for Security

Approaches to Static Analysis

• Local analysis

– One program at a time

– Doesn’t look at relationships between functions

• Module-level analysis

– One class at a time

– Examines relationships between functions – Doesn’t analyze calls between modules

• Global analysis

– Analyzes the entire program

– Looks at all relationships between functions

(19)

Penetration Testing

Overview

• Used to find the real vulnerabilities in the system

• Also known as Ethical Hacking

– You have permission to attack this network

20 November 2015 Software Security Testing

[ASM2005]

19

(20)

Penetration Testing

Penetration Testing Today

• Typically a security consultant will come in and do the testing

• Issues with penetration testing

– Incorrect interpretation of results – Scope of the test is narrow

• thus only finding a small amount of bugs

– Validity of tests

• Tests can’t be repeated thus results can’t be repeated

– Testing at the end of the software development cycle

• Fixing the bugs is costly

(21)

Penetration Testing

A Better Approach

• Use of structured tests based on perceived risks

• Make use of tools

– To vet software code in source or in binary form

• Used to identify implementation-level bugs

– Dynamic Analysis tools to observe a system

• Once the faults are discovered it will report them to the tester

– Benefits of using tools

• Performs most of the grunt work

• The output provided by the tools are very useful

20 November 2015 Software Security Testing 21

(22)

Penetration Testing

A Better Approach

• Test software at different levels

– Component level testing

• Use static and dynamic analysis tools

• Overall Goal is to

– Misuse the component’s assets

– Violate inter-component assumptions – Probe risks

– Unit level testing

• Benefit of breaking system security down in to several parts

– System level testing

• Analyze the system in its deployed environment

• Identify inter-component issues

• Assessing the security risk inherent at the design level

(23)

Penetration Testing

A Better Approach

• Integrate with the development cycle

– Mitigation strategy

• Finding the bugs

• Exploring how the bugs made it into the code

• Address and identify vulnerabilities in the code base

• Use test results to evaluate progress in fixing bugs

– Iterative security penetration tests should reveal fewer and less severe flaws in the system

20 November 2015 Software Security Testing 23

(24)

Conclusion

• Risk-based Testing

– Used to solve problems during production

• Static Analysis

– Should be applied regularly as part of the development process

• Penetration Testing

– Most useful when integrated during the development process

– Results can help improve design, implementation, and deployment practices

(25)

References and Further Reading

Software Security Testing 20 November 2015

• [PM2004] Bruce Potter and Gary McGraw, “Software Security

Testing,” IEEE Security and Privacy, Volume 2, Issue 5, pp. 81 – 85, September/October 2004.

• [CM2004] Brian Chess and Gary McGraw, “Static Analysis for

Security,” IEEE Security and Privacy, Volume 2, Issue 6, pp. 76 – 79, November/December 2004.

• [ASM2005] Brad Arkin, Scott Stender, and Gary McGraw, “Software Penetration Testing,” IEEE Security and Privacy, Volume 3, Issue 1, pp.

84 – 87, January/February 2004.

25

(26)

Questions?

[email protected]

References

Download now ( PDF - 26 Page - 499.13 KB )

Related documents

Contaminating the Verdict: The Problem of Juror Misconduct

114 (1983) (stating ex parte contact between trial court and juror reviewed for actual prejudice); Smith v. 1996) (suggesting that the Remmer test has been reconfigured by

Carbohydrate and caffeine improves high intensity running of elite rugby league interchange players during simulated match play.

Co-ingestion of carbohydrate with caffeine compared to carbohydrate alone enables improvements in high intensity running performance of professional rugby league

SERVICE QUALITY AND CUSTOMER SATISFACTION IN THE CELLULAR TELECOMMUNICATION SERVICE PROVIDER IN MALAYSIA

The author presented a situation that service quality is a focused evaluation that reflects the customer’s perception of reliability, assurance, responsiveness,

2. (a) A light year is the speed of light in m/s multiplied by the number of seconds in one year.

The Hubble space telescope orbits the Earth and takes photographs of planets and Galaxies far away.. (a) Images from Hubble are much clearer as the images are not distorted by the

Supporting Student Veterans Utilizing Participatory Curriculum Development

An organizational level program utilizing Participatory Curriculum Development (PCD) (Taylor, 2003) is presented to assist postsecondary institutions with development,

2016 TOP PRODUCERS RULES & REQUIREMENTS

Applicants may transfer Top Producers credit years (or similar sales awards program years) awarded in another Association of REALTORS ® to apply toward award recognition with

Analiza porównawcza nadzoru nad projektem badawczym w zakresie osiągnięć studentów biznesu na uniwersytetach nigeryjskich

1 I was given directions by my supervisor and this positively affected the quality of my writing and research capacity 3.66 3.63 2 I had access to Internet facilities and this aided

Impact of AVHRR channel 3b noise on climate data records: filtering method applied to the CM SAF CLARA-A2 data record

(A) colour composite image based on brightness temperatures of the three AVHRR infrared channels 3b, 4 and 5 at 3.7, 11 and 12 microns, respectively; (B) cloud mask product for