Chapter 5. Secure Software Testing
Chapter 5 explores different types of secure software testing activities. Each activity is based on a formal standard or methodology and adds unique value to the overall secure software testing process. An organization typically selects testing activities based on a number of factors, including secure software requirements and available resources.
Analyses of test results form the basis for assessing risk and means of remediation. Standards and methodologies such as ISO 9126, the SSE-CMM, and the OSSTMM provide additional guidance for secure software evaluation and mitigation. After software has been modified, regression testing provides assurance that the original software system functionality and security characteristics are not negatively affected by the respective changes.
Testing for Security Quality Assurance
Secure software testing has considerations in common with quality assurance testing. For example, the correct version of the software should always be tested. However, secure software testing must also address the measure of the quality of the security properties of the software. For example, software should be tested to ensure that it meets its functional specifications, and does nothing else. Testing that software does nothing else—that is, does not contain any unintended functionality—is a measure of security quality.
There is a lack of commonly agreed-upon definitions for software quality. But it is possible to refer to software quality ...
Get The CSSLP™ Prep Guide: Mastering the Certified Secure Software Lifecycle Professional now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.