Chapter 7. Risk-Based Security Testing[1]

Risk-Based Security TestingRisk-based security testingprocess overviewTouchpointslist ofrisk-based security testingParts of this chapter appeared in original form in IEEE Security & Privacy magazine co-authored with Bruce Potter [Potter and McGraw 2004].
 

A good threat is worth a thousand tests.

 
 --BORIS BEIZER

Security testing has recently moved beyond the realm of network port scanning to include probing software behavior as a critical aspect of system behavior (see the box From Outside→In to Inside→Out on page 189). Unfortunately, testing software security is a commonly misunderstood task. Security testing done properly goes much deeper than simple black box probing on the presentation layer (the sort performed by so-called application security tools, which I rant about in Chapter 1)—and even beyond the functional testing of security apparatus.

Testers ...

Get Software Security: Building Security In now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.