Article

How to attack (test) software yourself

Michelle Davidson

SAN MATEO, CALIF. -- What's the best way to protect your software? Think and act like an attacker.

During his keynote address at last week's Software Security Summit, Herbert H. Thompson, PhD., chief security strategist at People Security, outlined four ways to attack (or test) software yourself: attack dependencies, attack the user interface, attack the design and attack the implementation. Here's a look a specific things to do for each scenario:

Attack the dependencies

  • Block access to libraries
  • Manipulate registry values
  • Force the application to use corrupt files (includes write protected, inaccessible, physically corrupt etc.) and file names
  • Replace files that the application reads from, writes to, creates and executes
  • Force the application to operate in low memory/disk space/ network availability conditions

Attack the user interface

  • Overflow input buffers
  • Examine all common switches, options, etc.
  • Explore escape characters, character sets and commands

Attack the design

  • Try common default and test account names and passwords
  • Expose unprotected test APIs
  • Connect to all ports
  • Fake the source of data
  • Create loop conditions in any application that interprets script, code etc
  • Use alternate routes to accomplish the same task
  • Force the system to reset values

Attack the implementation

  • Get between

    Requires Free Membership to View

  • time of check and time of use
  • Create files with the same name as files protected with a higher classification
  • Force all error messages
  • Use look for temporary files and screen their contents for sensitive information


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: