Chapter 7. Risk-Based Security Testing^[1]

Risk-Based Security TestingRisk-based security testingprocess overviewTouchpointslist ofrisk-based security testingParts of this chapter appeared in original form in IEEE Security & Privacy magazine co-authored with Bruce Potter [Potter and McGraw 2004].

	A good threat is worth a thousand tests.
	--BORIS BEIZER

Security testing has recently moved beyond the realm of network port scanning to include probing software behavior as a critical aspect of system behavior (see the box From Outside→In to Inside→Out on page 189). Unfortunately, testing software security is a commonly misunderstood task. Security testing done properly goes much deeper than simple black box probing on the presentation layer (the sort performed by so-called application security tools, which I rant about in Chapter 1)—and even beyond the functional testing of security apparatus.

Testers ...

Get Software Security: Building Security In now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Software Security: Building Security In by Gary McGraw

Chapter 7. Risk-Based Security Testing^[1]

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly

Chapter 7. Risk-Based Security Testing[1]

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly

Chapter 7. Risk-Based Security Testing^[1]