Food processing presentation for bsc agriculture hons
Testing software security
1. Testing Software Security
A secure product is a product that protects the confidentiality,
integrity, and availability of the customers' information, and the
integrity and availability of processing resources, under control
of the system's owner or administrator.
A security vulnerability is a flaw in a product that makes it
infeasible even when using the product properly to prevent an
attacker. Hacker:One who uses programming skills to gain
illegal access to a computer network or file.
As a software tester it's important to understand why someone
may want to break into your software.
Understanding their intent will aid you in thinking about where
the security vulnerabilities might be in the software you're
testing.
2. Understanding the Motivation of
Hacker
The five motives that a hacker might have to gain
access to a system are
–
–
–
–
–
Challenge/Prestige: when someone breaks into a system purely for the
challenge of the task and the prestige
Curiosity: The hacker will peruse the system looking for something
interesting
Use/Leverage: Here the hacker will actually attempt to use the system for
his own purpose.
Defacing, Destruction, and Denial of Service: Defacing is changing the
appearance of a website. Destruction takes the form of deleting or altering
of data stored on the system. Denial of service is preventing or hindering
the hacked system from performing its intended operation.
Steal: intent is to find something of value that can be used or sold. Credit
card numbers, personal information, goods and services, even login IDs
and email addresses, all have value to the hacker.
3. Threat Modeling
To look for areas of the product's feature set to
security vulnerabilities.
Choose to make changes to the product.
Spend more effort designing certain features, or
concentrate testing on potential trouble spots.
Ultimately it will result in a more secure product.
Unless everyone on the product development team
understands and agrees to the possible threats, your
team will not be able to create a secure product.
5. Steps of Threat Modeling Process
Assemble
the threat modeling team
Identify the Assets.
Create an Architecture Overview
Decompose the Application.
Identify the Threats.
Document the Threats.
Rank the threats.
6. Testing for Security Bugs
Testing for security bugs is a test-to-fail activity.
Tester won't necessarily be given a product
specification that explicitly defines how software
security is to be addressed.
Nor will he be able to assume that the threat model
is complete and accurate.
Tester will need to put on "test-to-fail" hat and attack
the software much like a hacker would assuming that
every feature has a security vulnerability.
7. Testing for Security Bugs
Testing for security bugs is a test-to-fail activity.
Tester won't necessarily be given a product
specification that explicitly defines how software
security is to be addressed.
Nor will he be able to assume that the threat model
is complete and accurate.
Tester will need to put on "test-to-fail" hat and attack
the software much like a hacker would assuming that
every feature has a security vulnerability.