Security in Software Testing and Introduction to Security Development Lifecycle
to “Software Testing Genius”.
Subscribe to my
RSS feed for
latest content on Software
Security in Software Testing and Introduction to Security Development Lifecycle
Software Development Life Cycle, Software Testing Life Cycle & Security-Testing Life Cycles are methodologies well known across the IT industry. Let us try to know about a sparingly known methodology - Security Development Lifecycle or SDL
Security Development Lifecycle is an innovative methodology brought by Microsoft & IBM in the year 2002. This is a process wherein every security issue is made a priority during every stage of the software development process.
The SDL introduces the use of several techniques like threat modeling, use of static analysis tools, code reviews, and a final review of security into a structured process that can reduce the number of security vulnerabilities found after system shipment.
Following are the 4 - Principles in the Security Development Lifecycle.
color=#000080 size=2 face=Arial>
Principle-1: Ensure Security by DesigningThe system has to be designed from the start to protect both itself and all information processed by it, as well as to be resistant to attacks. This design has to be carried out through implementation as well.
Principle-2: Ensure Security by DefaultThe default state of the system should minimize the possible risks when attacks (successful or unsuccessful) take place. This includes items such as running at least access, turning off features not needed by the majority of users, etc.
Principle-3: Ensure Security while DeploymentThe software needs to be shipped with documentation and manuals that will help the end users as well as the administrators install and use the software securely. Secondly the installation of all updates must be easy.
Principle-4: CommunicationsThere must be open and responsible communication with consumers when product vulnerabilities are found, in order to keep both the end users as well as the administrators aware of how to take proactive measures to protect themselves.
In addition to the preceding four main principles, the SDL lays out the security tasks that need to take place at each step in the traditional software development life cycle.
Probably, the key aspect to the success of any attempt to adopt SDL is education - a lot of education. Most people (in all disciplines) do not come to a project already completely educated on what they need to do to insure an effective and comprehensive job of implementing SDL. An educational effort needs to be put in place, both at the beginning of SDL adoption and on an ongoing basis. This can be an in-house or a contract effort, or even a mix, according to the needs & the size of your organization.
Following figure represents a graphical representation of a typical SDL.
(A) Security in Requirements Defining PhaseThe first thing to be done at this stage is to determine a person who will be the single window contact, advisor, and resource as the release goes through the stages of SDL to release. This person must have the training and experience sufficient enough to lead and guide the project and its team. Such a person assists in reviewing the plans, making useful recommendations, & insuring any required resources or training are received by the team.
During the requirements phase, the following decisions are made:
1) How security shall be integrated with the process of development?
2) What are the main objectives of security?
3) How can security be maximized with disruption remaining minimized?
4) What software is likely to be used with the system under development, and how security related features will be integrated with that other software?
5) What security feature requirements are needed for the system under development? Though some of these are discovered later (when threat analysis is done), this is the time when the features determined by customer request, certification requirements, or regulatory requirements are considered.
All these steps should be taken into account and addressed at the same time the new feature and other requirements are being collected.
(B) Security in Designing PhaseDuring this phase in the software development life cycle, the overall plan and architecture for the system is created. As the project goes through this stage, the SDL focus remains on the following.
a) Defining the designing guidelines & architecture of security:It includes determining what functions are integral to security as well as what design techniques apply to a project globally. Basically it involves the creation of an overall security design.
b) Documenting the elements of the surface of software attacks:
By default, which features get automatically exposed to the users?
What is the minimum possible privilege level for these features?
It is very important to find any place where the attack surface is increased and question it every time.
c) Conducting the threat modeling:This should be done at a component level. There are several methods of threat modeling that can be used, each with its own focus and take on the process, but the intent is still to come away with a prioritized list of threats that must be mitigated, In addition the areas that should receive careful examination to insure that those areas function properly.
d) Defining Supplemental Criteria for Shipping:This can include criteria such as the beta testing being security bug-free or having passed a security bug bash.
(C) Security in Implementation PhaseDuring this phase, coding and integration are performed. Note that, in the Microsoft version of the SDL, this is when the formal testing is conducted, but testing should (and usually does) continue all the way through until the system is actually shipped. Any steps that can be taken in this phase to prevent or eliminate security defects are very inexpensive, and they drastically reduce the chance that these flaws will migrate to your final system.
In the SDL, the following steps are implemented:
# Use standards for coding & testing.
# Use fuzzing tools & relevant tools for security-testing.
# Use tools for code scanning / static analysis.
# Carry out code reviews.
(D) Security in Verification PhaseThis is the phase in which the features are code complete and testing (include beta testing) is being conducted. In the SDL, this is the time that more stringent code reviews & a specific security test pass are conducted. It allows review & testing of not only the new or modified code but also the unmodified legacy code of the release phase.
(E) Security in Release PhaseThe release phase in the SDL is when the system is put through "Final Security Review" (FSR). This review is designed to answer the question of whether the system is now ready to be released to the customers with a security standpoint. The stated ideal is to have the FSR conducted 2-6 months before the system is to be released, both to insure that the FSR is conducted on code that is as mature as possible and as least likely to be changed. Of course, this depends heavily on the release schedule of the system, and the move to faster and more nimble release schedules makes this timeline an almost unattainable goal in many cases.
The "Final Security Review" is intended to be conducted by an independent team, and sometimes even by outside security review consultants. This is to try to isolate the FSR from preconceptions and biases that exist on the product design team as much as possible.
(F) Security in Support and ServicingThere is no way to ship a system that is 100 percent bug free, so there has to be a way to respond to newly discovered vulnerabilities. This process includes a way to evaluate reports of new vulnerabilities and issue fixes as needed.
The other thing that needs to occur during this part of the SDL is a postmortem assessment and analysis of the security bugs found. How, where, and when they were found may indicate a need for process change, a need for tool updates or changes, etc.
Many More Articles on Risk Analysis & Security Testing
Largest Database of Sample Papers - 1000+ Unique Questions for ISTQB Foundation Exam
ISTQB Foundation Exam - Full Crash Course for Download
ISTQB Advanced CTAL Test Analysts Exam - Full Crash Course for Download
ISTQB Advanced CTAL Test Manager Exam - Full Crash Course for Download
What Successful Testers say about the Quality of this website
If you want to keep track of further articles on Software Testing, .
I suggest you to subscribe my RSS feed
You can also Subscribe by E-mail and get All New articles delivered directly to your Inbox.
Get your Absolutely Free Copy of Several MS PowerPoint Presentations & E-Books related to ISTQB, HP Load Runner, IBM RFT, HP QTP & QC Certification Exams, prepared by Popular Writers & Trainers, by writing to: Software.email@example.com
Full Study Material for Popular Certification Exams:
Study Material - HP QTP & QC Certification Exam
Study Material - IBM RFT Certification Exam
Study Material - HP LoadRunner Certification Exams for All Modules
Study Material - ISTQB Certification Exam
Most Popular Topics in Demand:
Practical Roadmap to QTP Certification
Practical Roadmap to CSTE Certification
Consolidated Study Material - Testing & QA
Rehearsal of QTP in 1 Hr. - Interview Questions