1 / 6

An asset is safe & secure if it is free from unwanted damage.

Safety vs. Security. An asset is safe & secure if it is free from unwanted damage. What’s the difference?. safety. security. Traditional software testing doesn’t distinguish. What Makes Security Testing More Difficult?. “The difference between software safety and software

kioko
Download Presentation

An asset is safe & secure if it is free from unwanted damage.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safety vs. Security An asset is safe & secure if it is free from unwanted damage. What’s the difference? safety security Traditional software testing doesn’t distinguish.

  2. What Makes Security Testing More Difficult? “The difference between software safety and software security is therefore the presence of an intelligent adversary bent on breaking the system.” http://www.cigital.com/papers/download/bsi4-testing.pdf

  3. Security Flaw Sources Coding (implementation) Vulnerabilities What to look for and how to search? Design Flaws Use threat/risk analysis to discover what needs testing. Testing needs to ensure… 1) functionality is properly implemented, and 2) risk is acceptable.

  4. Security Testing Open Source Security Testing Methodology Manual http://www.isecom.org/mirror/OSSTMM.3.pdf

  5. Types tester knows nothing about assets and defenses; target knows test details Blind tester knows nothing about assets and defenses; target is unaware of test Double Blind tester has incomplete knowledge of assets and defenses; target knows test details Gray Box tester has incomplete knowledge of assets and defenses; target expects test, but doesn’t know details Double Gray Box both tester and target know details of the assets, defense and test Tandem tester knows details of assets and defenses, but target unaware of test Reversal

  6. Reasons Testing Fail ____________ testing discovers an error that isn’t real _____________ testing fails to discover an existing vulnerability _____ testing outcomes don’t necessarily reveal problems accurately (gray positives and gray negatives) ________ a test cannot be completed and is therefore inconclusive ____________ a test is bungled

More Related