Risk Management and Security Testing

Software security is about making software behave in the presence of a malicious attack even though, in the real world, software failures usually happen spontaneously that is, without intentional mischief. Not surprisingly, standard software testing literature is only concerned with what happens when software fails, regardless of intent. The difference between software safety and software security is therefore the presence of an intelligent adversary bent on breaking the system. Most safety-critical systems (and high-assurance systems) posit a white hat world. Fact is, we live in a world with plenty of black hats as…Read more …

Risk Management and Security Testing

Software security practitioners perform many different tasks to manage software security risks, such as: Creating security abuse/misuse cases Listing normative security requirements (and security features and functions) Performing architectural risk analysis Building risk-based security test plans Wielding static analysis tools Performing security tests Performing penetration testing in the final environment Cleaning up after security breaches Three of these practices are particularly closely linked architectural risk analysis, risk-based security test planning, and security testing because a critical aspect of security testing relies on directly probing security risks. The pithy aphorism "Software security is not…Read more …