Chapter 20. Testing Software System Security
In today’s environment, security is becoming an important organizational strategy. Physical security is effective, but one of the greatest risks organizations now face is software security. This risk occurs both internally (through employees) and externally (through communication lines and Internet processing).
Testing software system security is a complex and costly activity. Performing comprehensive security testing is generally not practical. What is practical is to establish a security baseline to determine the current level of security and to measure improvements.
Effectiveness of security testing can be improved by focusing on the points where security has the highest probability of being compromised. A testing tool that has proved effective in identifying these points is the penetration-point matrix. The security-testing process described in this chapter focuses primarily on developing the penetration-point matrix, as opposed to the detailed testing of those identified points.
This test process provides two resources: a security baseline and an identification of the points in an information system that have a high risk of being penetrated. Neither resource is statistically perfect, but both have proven to be highly reliable when used by individuals knowledgeable in the area that may be penetrated.
The penetration-point tool involves building a matrix. In one dimension are the activities that may need security controls; in the ...