Software Security TestingSoftware Security Testing

bybyGary McGraw, Bruce PotterGary McGraw, Bruce Potter

presented bypresented byEdward BonverEdward Bonver

11/07/200511/07/2005

11/07/2005 2Edward Bonver Software Security Testing

Security Testing DilemmaSecurity Testing Dilemma

Security testing depends heavily on expertise and Security testing depends heavily on expertise and experienceexperience

Budget and timing constraintsBudget and timing constraints

QA is usually under pressure to complete the “feature QA is usually under pressure to complete the “feature test sets” (i.e. functional testing) (QA resources)test sets” (i.e. functional testing) (QA resources)

11/07/2005 3Edward Bonver Software Security Testing

““Choose Any Two…”Choose Any Two…”

CostSecurity

Usability

11/07/2005 4Edward Bonver Software Security Testing

Reactive vs. ProactiveReactive vs. Proactive

Most defensive mechanism which “provide security” Most defensive mechanism which “provide security” on the market do little to address the heart of the on the market do little to address the heart of the problem, which is bad securityproblem, which is bad security

They operate in They operate in reactivereactive mode mode

Instead, in order to increase the levels of assurance of Instead, in order to increase the levels of assurance of software security, we (software organizations, QA) software security, we (software organizations, QA) need to be need to be proactiveproactive

11/07/2005 5Edward Bonver Software Security Testing

Software Development Life Software Development Life Cycle,Cycle,

With Security In MindWith Security In Mind

11/07/2005 6Edward Bonver Software Security Testing

Security Training

Security Kickoff& Register with

SWI

Security DesignBest

Practices

Security Arch & Attack SurfaceReview

Use SecurityDevelopment

Tools &Security BestDev & Test Practices

Create Security

Docsand Tools

For Product

PrepareSecurity

ResponsePlan

Security Push

Pen Testing

FinalSecurity Review

Security Servicing &ResponseExecution

Feature ListsQuality Guidelines

Arch DocsSchedules

DesignSpecifications

Testing and Verification

Development of New Code

Bug Fixes

Code Signing A Checkpoint

Express Signoff

RTM

Product SupportService Packs/QFEs Security

Updates

Requirements Design Implementation Verification ReleaseSupport

&Servicing

ThreatModeling

FunctionalSpecifications

Traditional Microsoft Software Product Development Lifecycle Tasks and ProcessesTraditional Microsoft Software Product Development Lifecycle Tasks and Processes

Source: Microsoft PDC 2005

Microsoft’s Security Deployment Microsoft’s Security Deployment Lifecycle Tasks and ProcessesLifecycle Tasks and Processes

11/07/2005 7Edward Bonver Software Security Testing

What’s So Different About Security?What’s So Different About Security?

““Software security is about making software behave Software security is about making software behave correctly in the presence of a malicious attack.”correctly in the presence of a malicious attack.”

““The difference between software safety and software The difference between software safety and software security is therefore the presence of an intelligent security is therefore the presence of an intelligent adversary bent on breaking the system.”adversary bent on breaking the system.”

11/07/2005 8Edward Bonver Software Security Testing

Intended Versus Implemented Intended Versus Implemented Software Behavior in Software Behavior in

ApplicationsApplications

Most security bugs lay in the Most security bugs lay in the areas of the figure beyond the areas of the figure beyond the circle, as side effects of normal circle, as side effects of normal application functionalityapplication functionality

Source: Herbert H. Thompson, Security InnovationSource: Herbert H. Thompson, Security Innovation

11/07/2005 9Edward Bonver Software Security Testing

Security

Risk Analysis — It’s All Risk Analysis — It’s All Relative…Relative…

Information and servicesbeing protected

Skills and resources ofthe adversaries

Costs of potentialassurance remedies

11/07/2005 10Edward Bonver Software Security Testing

ConclusionConclusion

There is an absolute need for software security There is an absolute need for software security testingtesting

Software security testing should be done proactively, Software security testing should be done proactively, and should be embedded into the software life and should be embedded into the software life development cycledevelopment cycle

Software security testing is not easy – requires time, Software security testing is not easy – requires time, resources, experience and expertiseresources, experience and expertise

11/07/2005 11Edward Bonver Software Security Testing

ReferencesReferences

““Software Security Testing”, Gary McGraw, Bruce Software Security Testing”, Gary McGraw, Bruce Potter, IEEE Security & Privacy, September/October, Potter, IEEE Security & Privacy, September/October, 2004, pp. 81-852004, pp. 81-85

““Why Security Testing Is Hard”, Herbert H. Why Security Testing Is Hard”, Herbert H. Thompson, IEEE Security & Privacy, July/August, Thompson, IEEE Security & Privacy, July/August, 2003, pp. 83-862003, pp. 83-86

11/07/2005 12Edward Bonver Software Security Testing

QuestionsQuestions

? ? ? ? ? ?

• Go easy on me, too!