All software regardless of purpose, size or cost is designed to conduct three functions; take input, process data and produce output. The environment and purpose of the software determine how the input is generated and the design and operation determine how it is used with resident data and what actions are preformed upon said data. The output may be used by people or other programs or stored in a database.
The cost of securing an application increases exponentially after the application has been developed, thus securing an application is far less expensive during its development.
The secure software development life cycle processes as defined by the following article from homeland security as a survey of current standards and methodologies.
“This article presents overview information about existing processes, standards, life-cycle models, frameworks, and methodologies that support or could support secure software development. The initial report issued in 2006 has been updated to reflect changes.”[DN][i]
Software testing is useful for developing processes that aid in the maturity of an organizations ability to determine software failures; security testing directly increases the software value however since time to market is king it’s often an afterthought or built in during subsequent revisions to the desired applications.
The primary method used to test the security of developed software is called “Fuzz Testing”, Fuzzing is designed to test the method in which input fails in a given application and how to rectify the underlying issue that caused the failure.[NJ][ii]
Other methods of software testing include Black-box, Grey-Box, Decision Table, all-pairs, state transition tables, equivalence partitioning and Boundary Value Analysis; with respect to security we are only concerned with Black Box as the defining characteristic is that there is no foreknowledge of the system under test, where the faults may be decomposed in a disassembled such as IDA Pro or GDB.[BCS][iii]
Ultimately the nature of input is unknown and as such may never be predicted, since the manipulation of input is constrained by the mechanics of the machine in question be they; memory, language, stacks used, constructs, storage media or communications channels dictate which vulnerabilities may occur and although we may mitigate the failures in the mechanics of a program change will always introduce new areas to exploit.
Software Security defined by the (ISC)2 is ensuring that due care and diligence have been observed in the design and implementation of a given platform; according to the Software Engineering Institute (SEI), Capability Maturity Model for Integration and SCAMPI may even be integrated with ISO 21827 [ZM][iv]; even then these methods only ensure that the software under test functions within the limits of the designed test cases for the allotted standards to be tested.
The nature and defining characteristic of software security is that when it does fail due to invalid input within its procedures; it does so gracefully without affecting other system components or memory areas within the system in question.
References
[i] [DN] Davis, Noopur, Carol Woody (CMU, Software Engineering Institute 2009) Secure Software Development Life Cycle Processes [Online] World Wide Web, Available from: https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/sdlc/326-BSI.html (Accessed On June 23rd 2011)
[ii] [NJ] Neystadt, John (Microsoft, 2008 ) Automated Penetration Testing with White-box fuzzing [Online] World Wide Web, Available from: http://msdn.microsoft.com/en-us/library/cc162782.aspx (Accessed on June 23rd 2011)
[iii] [BCS] n.a. (BCSSIGST, 2001) Standard for Software Component Testing [Online] PDF Document Available from: http://www.testingstandards.co.uk/Component%20Testing.pdf (Accessed on June 23rd 2011)
[iv] [ZM] Zimme, Mark K. (Booz |Allen | Hamilton, 2004) Secure and Mature: Combining CMMI SCAMPI with an ISO/IEC 21827 (SEI-CMM) Appriasial [Online] PDF Document, Available from: http://www.sei.cmu.edu/library/assets/zimmie-secure.pdf (Accessed on June 23rd 2011)
No comments:
Post a Comment