Software security practitioners perform many different tasks to manage software security risks, including -
• Creating security abuse/misuse cases.
• Listing normative security requirements.
• Performing architectural risk analysis.
• Building risk-based security test plans.
• Wielding static analysis tools.
• Performing security tests.
• Performing penetration testing in the final environment.
• Cleaning up after security breaches.
Three of these are particularly closely linked—architectural risk analysis, risk-based security test planning, and security testing—because a critical aspect of security testing relies on probing security risks. Last issue’s installment1 explained how to approach a software security risk analysis, the end product being a set of security- related risks ranked by business or mission impact. (Figure shows where we are in our series of articles about software security’s place in the software development life cycle.)
The pithy aphorism, “software security is not security software” provides an important motivator for security testing. Although security features such as cryptography, strong authentication, and access control play a critical role in software security, security itself is an emergent property of the entire system, not just the security mechanisms and features. A buffer overflow is a security problem regardless of whether it exists in a security feature or in the noncritical GUI. Thus, security testing must necessarily involve two diverse approaches:
1. testing security mechanisms to ensure that their functionality is properly implemented, and
2. performing risk-based security testing motivated by understanding and simulating the attacker’s approach.
Many developers erroneously believe that security involves only the addition and use of various security features, which leads to the incorrect belief that “adding SSL” is tantamount to securing an application. Software security practitioners bemoan the over-reliance on “magic crypto fairy dust” as a reaction to this problem. Software testers charged with security testing often fall prey to the same thinking.