Thursday February 9th 2012 11am
Software Security Testing – Are You Committed?
Software Test Professionals Conference
The vacation is just over but celebration still lingers in the air...
Could the story below happen to you?
Wee hours of the night, almost 3:00 AM, the party is over and you managed to get back home sound and safe. It's surprising to find the door unlocked, but you do not make much of this detail until you turn on the lights and find your apartment topsy-turvy and realize a thief had made a visit before you! Certainly at this moment you no longer think about resting and your mind is already working full-speed identifying the ways the burglar got in and out without any trouble, and your new year resolutions now include a list of improvements to do on this front: Setting up an alarm control system on doors and windows, a fence, and even finally installing that big double lock you have bought but never got to use...
In short, you will now be investing a lot to protect... the remainders from your original assets!! Too bad, right? "If only I had done this in the summer when there was time", you think. Sounds like a sad story? Indeed it is.
Back to the Real World
Looking at our products, they're filled with assets to protect; it could be sensitive data, Intellectual Property or critical functionality. Without doubt some mechanisms are already in place to protect them, but how much do you invest in testing the robustness of these mechanisms? Do you know how to evaluate the risk of having any of them unintentionally exposed?
Software Security Testing is no longer a luxury. The hacker's business ecosystem is quickly changing, penetration tools are available in a click and the world is frightening. Most companies cannot afford losing too much before starting its security testing activities. Similarly, when a company has security testing activities in the process, they are often left to the end of the chain, not allowing enough time to address the design correctly.
The way to deliver good insight about the security quality of an application includes understanding that it may only take one severe exploit to make an entire application useless.
Security Development Lifecycle
Security testing activities need to start early in the project in order to ensure a reduction in the costs of damage and risks. They also require specific skills and a different mindset than the ones we use for functional testing. By consequence, you should plan for additional training and investing in new kind of tools. To avoid confusion resulting from tackling this area without proper knowledge, one should follow a rigorous and structured approach.
Many companies have benefitted from implementing a Security Development Lifecycle (SDL) as a set of actions which extend their existing PLC (Product Life Cycle) or SDLC (Software Development Life Cycle).
Such an approach was initiated by Microsoft in 2004, and is still used as a reference even at companies that use only a subset of the full model or a simplified & customized version of it. The figure below presents the waterfall-based development process as originally defined.
As examples, let's discuss two parts of the process in more details:
Early in the process, during architecture or design phases, a threat analysis should be conducted. The threat modeling allows you to apply a structured approach to security and to address the top threats that have the greatest potential impact to your application.
Basically it could be described by the following 6-steps:
This is an important step in the SDL since it will drive the definition of the test plan.
- Identify valuable assets that your systems must protect.
- Create an architecture overview using simple diagrams, including
subsystems, trust boundaries, and data flow.
- Decompose the application to uncover vulnerabilities.
- Identify threats that could affect the application.
- Document the threats.
- Rate the threats to prioritize and address most significant threats first.
Further on, during the execution phase, penetration testing and fuzz testing will be invaluable activities to validate the robustness of your product: challenging the security related mechanism against known vulnerabilities or trying to defeat the current implementation by compromising assets identified during the threat modeling phase.
So, Are You Committed?
As a tester, the target you need to pursue is to ensure all the needed protections are in place and to validate theses mechanism properly. Given the current attack trends, ensuring 100% protection is not an achievable goal, and sooner or later your product will be the next target on hackers list. Unfortunately, it is simply a matter of time!
This old joke exemplifies my point about security testing:
Two campers walk through a forest when suddenly they see a tiger in the distance running towards them. As they look around for an escape route, one of them opens his bags and takes out a pair of running sneakers and starts putting them on.
"What are you doing?" says the other man, "Do you really think you will run faster than the tiger with those?".
"I don't have to run faster than the tiger," replies the first. "I just need to run faster than you!"
By testing the security of your application and being prepared, software hackers will be more likely to focus on applications that have not committed the resources to testing. Hackers will exploit the easiest "prey" similar to the old joke I shared. If you are better prepared than the next guy in testing security, you may be granted a reprieve and in the end that may be enough.
So, are you committed?
About the Author:
Dan Alloun, Validation Architect - Intel
A 10 year veteran, Dan is a SW/FW Validation Architect in Intel Architecture group, validating the Intel Active Management Technology, one of the main parts of Intel vPro platform. Today, his main areas of expertise are networking, security, and a deep technical understanding of the Intel AMT system. Dan owns a GCIH Security Certification as well as ISTQB, CTFL & CTAL certificates in the validation area.
Come see Dan at STPCon 2012 in New Orleans - March 26-29. Dan will lead session 302: Creating a Security Test Plan - part of the Test Strategy and Design track.