Finding software security flaws

[Lyte]

Finding software security flaws
Identify security vulnerabilities in your lab not your customer's production environment

December 28, 2006 -- This article is excerpted from The Art of Software Security Testing: Identifying Software Security Flaws, by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin, by permission of Pearson Education. All rights reserved. Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing


The Art of Software Security Testing: Identifying Software Security Flaws, by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin, by permission of Pearson Education.This chapter describes the different analysis techniques you can use during the security testing process. Different situations require different methods of analysis. We also describe the different lab environments that can be set up to perform different types of testing.

White Box Testing

White box testing is common in the quality assurance world. It is sometimes called clear box, open box, or simply informed testing. In white box testing, all information about the system under test is known to the tester. In the security world, this can also be thought of as an insider attack. The tester has access to the source code and design documentation. This allows the tester to be efficient. He can threat-model the system or do a line-by-line code review, looking for information to guide the selection of test data.

White box testing is the most efficient way to find security vulnerabilities. Why hide information from the security test team? More information allows quicker and more complete generation of interfaces to test. It also gives you an accurate picture of the system's security because it doesn't rely on security by obscurity, which is the hope that attackers will never discover information about how a system works. Security by obscurity is not real security. You should always assume that eventually all information about a system will be discovered or leaked. A well-designed and well-implemented system will still be secure. This is why good crypto algorithms can be published for review. They don't rely on privacy for security.

More...