Software testing for security as well as proper function '” A short reading list

Tony Austin
Thursday, 30 December 2010 07:48

Business IT - Security

There's a lot of inadequate software around, always has been and always will be. It's vital to budget resources for adequate software testing, not only to check that the required functionality is there but also to ensure that the applications are secure.

The term application security can mean different things to different stakeholders. There's anti-malware software detection and removal (of viruses, trojans, rootkits, and the like) which you certainly need but which check across all layers from operating system kernel through to end-user applications.

But here I'm talking essentially about the end-user application layer (apps such as finance, e-commerce, manufacturing, travel reservation, and anything else) that your own organization develops, that you purchase from a third-party vendor, or manage to get at minimal cost to you as open source software.

Whatever the software source, it all needs thorough testing before you deploy it to your unsuspecting internal or external user base. Special care needs to be applied to the design and testing of the security of the applications.

Security mustn't be bolted on as an afterthought, because this is less effective (and perhaps ineffective) as well as being more costly in the long run. Proper security begins at the requirements and architecture/design stage.

This is indeed a vast topic, but absolutely essential for the success, safety and compliance of software applications. As I've said elsewhere on iTWire, ignore it at your peril.

Since iTWire isn't the medium for in-depth reportage for complex technical topics, here I'll just give an introductory mention to a few online resources you should consider.

Regard it, perhaps, as part of your holiday season's reading. It may even help keep your mind off depressing things like the floods raging across north-eastern Australia, the imminent loss of the 2010 Ashes cricket series to the British, the freezing weather across Europe and USA, widespread unemployment and other effects of the GFC, earthquakes, tsunamis, locust swarms, forest fires or whatever else is plaguing you right now and wherever you are.

First, let's look at Dr. Dobbs where Herbert H. Thompson writes in Secure Software Needs Careful Testing'”And Lots Of It that:

'Software testing comes in many flavors. Unit testing analyzes individual components before they're integrated into larger systems. System and integration testing checks that modules work together. Regression testing verifies that everything still works after a change is made to the code. And security testing checks that data is protected.'

He then goes on to explain fuzz testing (or fuzzing) to find vulnerabilities that are too complicated for a person to see. Quite smart!

And he goes on to state the obvious '” but it definitely needs to be stated '” that 'Most security vulnerabilities aren't requirements violations; rather, they come from incomplete requirements.'

Oh so true, equally applicable not just to application security but also to software development in general. Not to mention associated hardware development, where faults ranging from minor to disastrous abound, see for example the letter from Apple regarding iPhone4 signal strength problems and Myki could be scrapped after ticketing review.

Dr. Dobbs is a fantastic site for software development matters. You should consider subscribing to the digital monthly Dr. Dobb's Digest.

PLEASE READ ON ...