June 2006 - A Primer in Software Security Testing (Part 3)

Hung Nguyen, CEO, President and Founder, LogiGear Corporation

In part 1 and part 2 of this article, I discussed what computer and software security are, how they can be tested, and what targets and assets must be secured and tested. In this third and final part, I'll address the question of who is responsible for security testing, and how they can educate themselves to adequately perform these functions.

So who should own the responsibility for security? Often times, there are several groups of people in an organization who have influence over, or are responsible for, the security issues of an application and the operational infrastructure that supports the product as a whole. Usually, the members of the security-team, mentioned above, are key players from the following functions:

• Policy makers including information security staff who define security requirements to reasonably ensure user's and producer's confidence in the system's security defenses.
• Network administrators who design and implement security measures to ensure that the security defense objectives at the operational level are met.
• Software developers who design and implement security defenses at the application level to ensure that the security requirements are met.
• Testers who are responsible for testing the Web and software systems to uncover security-related flaws in the design, implementation and configuration, and functional errors introduced in the implementation of security defenses, primarily, at the application level; and secondarily, at the operational level.

The first step toward enabling your organization's software security testing capability is education. Education is a major step in developing a successful security program. Programming, testing, IT teams and other involved staff should all learn and understand the issues we face in information security. The people involved in securing the company-authored applications should constantly learn about existing and new techniques used by hackers to exploit vulnerabilities in software so that appropriate fixes can be made in a timely manner. The test engineers must understand some of the fundamental software security-related bugs such as poor error handling including buffer-overflows, input validation (or lack of it), cross-site scripting and so on, so that they know which bugs to seek out and where to find them. The people involved in securing the live systems should constantly monitor public information sources to learn about existing and new vulnerabilities in third-party applications/servers used in the systems so that:

• Appropriate responses can be made quickly to minimize damages.
• Appropriate patches can be applied quickly and patch-testing can be executed to ensure that side-effects are minimal.

To get you started, following are some good sources of security-related information including vendor Web sites, security portals, and security mailing lists.

• Testing Applications on the Web, second edition by Hung Nguyen, et al., Wiley, 2003
• How to Break Web Software : Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker, Pearson Addison Wesley; 2003
• Web Applications (Hacking Exposed) by Joel Scambray, Mike Shema, McGraw-Hill Osborne Media, 2002
• Writing Secure Code, Second Edition by Michael Howard and David C. LeBlanc, Microsoft, 2002
• The Top 10 Lists:
  http://www.sans.org/top20/
  http://www.owasp.org/documentation/topten.html
• The OWASP Guide to Building Secure Web Applications
• The OWASP Testing Project
• Other online resources and link pages:
  • Security-related testing link page at Logigear.com
  • BugTraq
  • Security Focus Online
  • CERT/CC Web site
  • RAS Security Web site

To summarize this entire article series, software security testing is the attempt to make sure that your company's assets are protected from both intentional and inadvertent breaches. Security testing is fundamentally different from functional testing, and requires a much broader set of skills and knowledge. While software test engineers should focus testing at the application level only, when performing system security testing, your company must involve people who are responsible for security defense from across the organization, and focus on a broad array of potential targets or vulnerabilities.