Software Security Testing Challenges and Implementation
A lot of research has been done recently towards creating effective approaches to increase the security testing scope and effectiveness. Software security testing is a key aspect to ensure reliability, confidence, and trust in software applications. Secure software can contribute to the software quality and plays a vital role in reducing the risk of intentional/unintentional cyber attacks or failures that can severely affect the reputation of a software company and can lead to negative consequences.
Insufficient planning and negligence in security testing can lead to unexpected consequences:
1. Software product with vulnerabilities, like poor encryption, unaddressed or
unprotected bugs will often impede general productivity and negatively impact applications currently in production.
2. Security flaws and breaches can lead to fines and sanctions for lack of regulatory compliance.
3. Not addressing these issues before releasing a product, will eventually require you to devote additional time and effort.
4. You lose customers trust hence losing customers and profits.
5. Software quality, reliability and security are tightly coupled⁶.
Therefore, introducing an efficient way of security testing is one of the major concern for organization.
What is security testing?
There are many definitions for the Software Security,
According to G. Mcgraw¹,
Software security is simply about the process of building secure software by designing software to be secure, emphasizing that the software is secure, and educating software architects, developers, and users about how to build and use secure things.
One more simpler definition provided by Julia Allen :
Software Security is the software’s ability to highly resist, tolerate, and recover from cases that strongly threaten the product.
If we read the above definition we can get three requirement of secure software i.e. Highly resistive, tolerance and resilient towards attack. However, security of the software application is not limited to these requirements. According to Tian-Yang² , Software security requirements mainly include data confidentiality, integrity, availability, authentication, authorization, access control, audit, privacy protection, and security management.
A very important and different perspective was presented by Arkin, Brad³
there is no relation between software security defects and vulnerabilities to security functionality rather, they originate from an attacker’s unexpected but intentional misuse of the application. Furthermore, if we characterize functional testing as testing for positives & verifying feature how it should perform then security testing is in somewhat testing for negative test scenarios possibly driven by abuse cases and architectural risks to simulate the behavior of a system under attack. This arises the limitation, the scope of generative negative test scenarios solely depends on the security tester imagination, expertise, and knowledge.
Developing secure software application is quite hard to achieve and has its own challenges. Here, I will provide brief idea about the security testing challenges during implementation and how secure software development life cycle looks like.
Challenges in Implementing Security Testing:
American security today provided brief overview of challenges faced during Security testing are :
Speed of Software Development:
The dynamic and fast-paced nature of software development encourages the team to neglect issues to achieve project goals or meet the deadlines. Hence, there is a high chance that security testing guidelines will be bypassed or partially ignored.
Risks of Using Open Source Components:
Using open-source components with no/little cognizance about internal insight of the components may lead to vulnerabilities, unwanted complexity,
and inconsistencies in the overall product. Avoid the use of open source
components until it not possible to write the code. Using application vulnerability tools that perform Software Composition Analysis (SCA) can help locating and tracking vulnerable components.
Vulnerabilities in Code:
Securely developed applications still can be at risk due to be vulnerabilities and weaknesses in programming languages. Every programming language is prone to its own vulnerabilities and limitation which can be utilized
in attacking the application. For example, C programming language most
common vulnerabilities are buffer overflow error, format string vulnerability,
integer errors. Increasing awareness regarding known issues of programming languages can significantly minimize the security risks.
Lack of AppSec Planning:
Appsec defined as the process of securing all the software a business uses.
Lack of proper planning can lead to unmanageable security issues and unclear
expectations of the requirement for production-ready products which can
also lead the team towards ineffective methods.
Security Testing in the Secure Software Development Life cycle
It is well known accepted fact that the cost of fixing bugs and security vulnerability increases as we move right in the software development life cycle. In other words, the cost of fixing issues will be higher in the later stages.
Bachmann et. al.⁴ described how security testing can be performed during Secure SDLC. We can see in below figure, how different security testing techniques are used in secure software development life cycle.
During Planning and Design Phase:
In this phase, using static approaches like security review of the architecture
and threat modeling security testing methods are one of the most crucial
methods which help in selecting tools and techniques for testing in later
stage :
• Architecture Security Reviews is the manual review of the product architecture which ensures fulfillment of the security requirement. Detecting
architectural flaws at the early stage result in saving cost and effort as
a benefit.
• Threat modeling is a structured manual analysis of an application-specific
business case or user scenarios⁴. This analysis is guided by a set of precompiled security threats. With the identification of threats, their impact
and potential countermeasures specific to the development of the software product can be introduced. These methods help in identifying the
attack surface and the most critical components. This provides what to
focus on during security testing activities.
During Software Development:
In the development stages, the following techniques are applicable:
• With the help of Static Source Code Analysis (SAST) and Manual Code
Review of the application source code for finding vulnerabilities that
help in detecting insecure programming, outdated libraries, and configurations which is one of the challenges discussed in the earlier section.
• In Static Binary Code Analysis and Manual Binary Review, analysis
of the compiled application (binary) for finding vulnerabilities without
actually executing the application.
During Executable in test environment:
Various techniques like penetration testing(Manual or Automated), Vulnerability scanners test, fuzz testing, and many more. However, these dynamic techniques usually achieve lower coverage than static approaches and mainly focused on detecting vulnerabilities related to data flows across the system and already known vulnerabilities.
During Maintenance and operation:
Ensuring that software configurations are still secure and accidental violations related to authorization or authentication has not occurred. In addition to that, passive security testing techniques like intrusion detection system or monitoring system can be utilized to observe the behavior of the software and, thus, highly recommended practice. Additionally, during this stage, rigorous security testing of updates and patches is performed which ensure that new vulnerabilities should not arise as a side affects.
Techniques of Security testing:
Implementing security activities throughout the software development life cycle requires different methodologies and techniques to successfully develop secure software in the end. Security testing basically follows two types of approaches⁵:
1. Testing software to validate its functionality and mechanism checks.
2. Performing risk based approach according to attackers mindset.
I will explain different types of testing techniques and risk assessment some other time or may be in my next stories.
Conclusion:
In this article, we discussed about the challenges in developing secure software application and different techniques can be utilize in software development life cycle. We learnt that fast paced development or improper planning are some bottlenecks for secure software development. And, it is highly recommended to start security testing as early as possible.
REFERENCES:
- G. McGraw. “Software security”. In: IEEE Security Privacy 2.2 (2004).
- Gu Tian-yang, Shi Yin-Sheng, and Fang You-yuan. Research on software
security testing”. In: World Academy of science, engineering and Technology 70 (2010). - Brad Arkin, Scott Stender, and Gary McGraw. Software penetration testing”. In: IEEE Security & Privacy 3.1 (2005).
- Ruediger Bachmann and Achim D Brucker. Developing secure software: A holistic approach to security testing”. In: Datenschutz und Datensicherheit (DuD) 38 (2014).
- Itti Hooda and Rajender Singh Chhillar. Software test process, testing
types and techniques”. In: International Journal of Computer Applications
111.13 (2015). - ASAM Al-Ghamdi. A survey on software security testing techniques”. In:
Int J Comput Sci Telecommun 4 (2013).
