How to attack (test) software yourself

By Michelle Davidson, Site Editor 18 Apr 2007 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

SAN MATEO, CALIF. -- What's the best way to protect your software? Think and act like an attacker.

During his keynote address at last week's Software Security Summit, Herbert H. Thompson, PhD., chief security strategist at People Security, outlined four ways to attack (or test) software yourself: attack dependencies, attack the user interface, attack the design and attack the implementation. Here's a look a specific things to do for each scenario:

Attack the dependencies

• Block access to libraries
• Manipulate registry values
• Force the application to use corrupt files (includes write protected, inaccessible, physically corrupt etc.) and file names
• Replace files that the application reads from, writes to, creates and executes
• Force the application to operate in low memory/disk space/ network availability conditions

Attack the user interface

• Overflow input buffers
• Examine all common switches, options, etc.
• Explore escape characters, character sets and commands

Attack the design

• Try common default and test account names and passwords
• Expose unprotected test APIs
• Connect to all ports
• Fake the source of data
• Create loop conditions in any application that interprets script, code etc
• Use alternate routes to accomplish the same task
• Force the system to reset values

Attack the implementation

• Get between time of check and time of use
• Create files with the same name as files protected with a higher classification
• Force all error messages
• Use look for temporary files and screen their contents for sensitive information

Tags: Software security testing and techniques,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software security testing and techniques Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Is manually testing a software project for flaws too risky? Affordable automated testing tools for securing websites

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary