Chapter 7. Risk-Based Security Testing[1]

Risk-Based Security TestingRisk-based security testingprocess overviewTouchpointslist ofrisk-based security testingParts of this chapter appeared in original form in IEEE Security & Privacy magazine co-authored with Bruce Potter [Potter and McGraw 2004].

A good threat is worth a thousand tests.


Security testing has recently moved beyond the realm of network port scanning to include probing software behavior as a critical aspect of system behavior (see the box From Outside→In to Inside→Out on page 189). Unfortunately, testing software security is a commonly misunderstood task. Security testing done properly goes much deeper than simple black box probing on the presentation layer (the sort performed by so-called application security tools, which I rant about in Chapter 1)—and even beyond the functional testing of security apparatus.

Testers ...

Get Software Security: Building Security In now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.