Home > Ask the Security Experts > Application Security Questions & Answers > Which automated quality assurance tools can be used to test software?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Which automated quality assurance tools can be used to test software?

Michael Cobb EXPERT RESPONSE FROM: Michael Cobb

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 13 March 2008
I have read your February 2007 article, "The dangers of application logic attacks." When talking about prevention recommendations, you reference the need for quality assurance activities. Is there any technical answer for this problem, like software or frameworks?

>
EXPERT RESPONSE
To the best of my knowledge, there is no automated process or software that can ensure the security of applications as you build them. Indeed, the creation of such a tool is hard to imagine, given the difficulty of simulating all possible logic attacks for a specific, individual app.

Automated quality assurance-verification tools are often used to test software once it has been built, either by performing automated code analysis or vulnerability testing. The latter approach simulates an attacker hacking away at the application, while the former plays the role of an intelligent examiner that reviews the code; product examples include offerings from Ounce Labs Inc., Fortify Software Inc., and SPI Dynamics. For basic testing, you can have your own coders review each other's work, or you can hire an outside coder to offer a fresh perspective on where the gaps may lie.

Despite advances in computer automation, humans are still superior at ensuring applications are developed securely, probably because the best challenge is posed by humans, notably those who can think as an attacker would. However, human work is often more effective if a framework guides it. There are numerous examples of secure software development life cycle processes. The U.S. Department of Homeland Security is a good starting point to learn more.

While some of these frameworks have been applied to massive projects, such as aircraft flight control systems, other development guides can be readily used for much smaller initiatives. Such is the case with Microsoft's Trustworthy Computing Security Development Lifecycle, which breaks the build process into six phases: requirements, design, implementation, verification, release and support/servicing. And while Microsoft is hardly synonymous with software security, the company's Security by Design initiative is a valuable contribution to the creation of more secure applications.

More information:

  • If your application development process is not yet addressing security at all six phases, now is the time to start. In the meantime, be sure to read Ed Skoudis' article on software development best practices that can prevent input-validation attacks.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Application Security
    Can IBM's SMash technology secure Web applications?
    Why is backscatter spam so difficult to block?
    What are the risks of disabling the User Account Control (UAC) feature on Windows Vista?
    Protecting exposed servers from Google hacks (and Google 'dorks')
    Has proof-of-concept mobile device malware translated into any meaningful attacks?
    Is it possible to ban chat programs on an enterprise LAN?
    How to test the security of personal details submitted to a website
    Is security improved when the number of Internet gateways is reduced?
    Are Internet cafe users' email credentials at risk?
    Which operating system can best secure an FTP site?

    Secure Software Development
    Vista functionality still wins over security
    Mozilla to release Firefox threat-modeling data
    Security issues found in the Spring Framework
    Software still plagued with security holes, researcher says
    Microsoft tools won't be quick fix for SQL injection attacks
    Gary McGraw on secure software development
    Product review: Mu-4000 Security Analyzer
    Product review: Klocwork Insight 8.0
    HP aims at IBM with application vulnerability scanning as service
    Information security book excerpts and reviews

    Securing Productivity Applications
    Oracle releases 45 database, application fixes
    Hacker toolkit targets Microsoft Access zero-day
    Microsoft Word zero-day being actively exploited
    Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities
    Startup Symplified delivers SSO in the cloud
    Protecting exposed servers from Google hacks (and Google 'dorks')
    Apple updates QuickTime to plug dangerous flaw
    Product review: Mu-4000 Security Analyzer
    Product review: Klocwork Insight 8.0
    PCI compliance and Web applications: Code review or firewalls?

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    bypass  (SearchSecurity.com)
    Common Weakness Enumeration  (SearchSecurity.com)
    debugging  (SearchSoftwareQuality.com)
    fuzz testing  (SearchSecurity.com)
    heuristics  (SearchSoftwareQuality.com)
    sandbox  (SearchSecurity.com)
    threat modeling  (SearchSecurity.com)
    trigraph  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts