Think like a hacker
February 15, 2009 —
(Page 2 of 6)
Related Search Term(s): professional development, security, testing, IBM, Fortify, Klocwork, Vi Labs
“If we’re talking about a financial application that’s running in a hosted environment, and it’s a Web application, the tester will be worried about someone trying to tamper with the logic,” DeMarines said. “If we’re talking about a piracy threat to a publisher, someone who is issuing software as part of their business, there are some ways you can go out and take a look at how those attacks are carried out, and then look at ways to bolster your defense against that. The first step is understanding how the attackers are going to look at the application and the methods they’re going to use to go after the vulnerabilities.”
Depending on what the threat is, organizations can either use their own resources or outsource for analysis to carry out this form of testing, DeMarines said. The ability to use an outside resource to test for threats depends on the amount of money an organization has.
Jacob West, manager of Fortify Software’s security research group, said the most important thing in assessing the security of software is to ask what can go wrong. That underpins any security testing activity because it puts the focus on things the software is not supposed to do instead of things it’s supposed to do.
“The challenges for security testers are going to be very similar to the challenges that developers went through as software security became a part of software development,” West said. “Early on, we had developers saying security isn’t their problem, that’s what the security team does, and slowly we’ve convinced programmers that security is part of the development process.
“The same evolution is going to happen in the security testing space. People who have thought of themselves as doing traditional quality assurance are going to have to think of security as part of their approach. As such, they’ll start to build up some knowledge of security and the kinds of things that can go wrong in specific circumstances.”
Gwyn Fisher, CTO of Klocwork, another security tool maker, said the whole issue with security is that a tester should not intend to find out if the software is secure at the end of the process. Instead, security testing must involve everyone; the architect should test his or her design assumptions for vulnerabilities, the coder should be responsible for testing what is being produced, and so forth.