How to define the scope of functional security testing

In 2007 Forrester released research that states that as much as 85% of security breaches involve internal threats. From an application security point of view, these internal threat agents are authenticated application users, technologies used to develop the application and even open source code integrated into applications. Have you ever asked whether the source code you find on the Web will add security issues to your application? I doubt it. Most are satisfied if the code works functionally.

With all of those variables coming into play, functional security testing is essential. But before you dive in, you must consider these things:

Let me offer advice for doing those things by first saying that this process should be a collective effort between business analysts, developers and security analysts, and it should have proper management support. Further, this article focuses on providing a direction to defining the scope and does not venture into the technical details.

Security facet prioritization
Assign severity levels for Availability, Integrity and Confidentiality to the information assets managed by the applications. The person responsible for this should do the following:

The next step should be to organize a comfortable platform for the information owners to qualitatively or quantitatively define and assign priorities to the identified information and technologies.

Employ the appropriate functional security tester
Security facet prioritization drives three important activities to be considered in employing appropriate functional security testing resources.

First, you want to baseline the functional security state of the application. Black box testing combined with automated testing tools can be considered during this phase.

Second, you want to define the security testing time for each functional area of the application.

Third, you want to scope out the technical skills require

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Common mistakes in real-time Java programming Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws Web application security testing checklist How to develop secure applications Software security testing and techniques Fixing four Web 2.0 input validation security mistakes Commonly-overlooked security flaws in rich Internet applications Web security problems: Five ways to stop login weaknesses 10 steps to acing Web app security assessments Hack maliciously to boost your software's security Software Testing: How to know you're ready to start testing Software security best practices: Roles developers must play The role of quality assurance (QA) pros in software security What is fuzz testing? What are some ways to use fuzz testing? Software security: Removing insecurity from outsourced development The basics of Web application security testing Web application security testing checklist Web application security testing basics The most effective time to do security testing

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

d in performing grey box and white box functional security testing.

If you don't consider the above tasks when describing the functional security testing resources, you will end up with a totally different description after six months. Management then realizes that the skill set of the resources does not match the requirements.

SDLC integration
A daunting task for many project managers is to justify incorporating functional security testing into the software development lifecycle (SDLC). An easy way out that I have seen is to add a phase for security testing before going to production.

The repercussions of this reactive approach result in the following:

A solution to these lies with the functional security analyst helping the project managers gain knowledge from the security facet prioritization and designing a report for management that highlights the benefits of an SDLC-integrated approach. For better results from functional security testing, it should be integrated into the testing phase of the project with bug reporting following the regular reporting process. Impact analysis on each reported security flaw empowers the project manager to prioritize the corrective action plans.

Security testing strategy guidelines
Wide spectrums of applications following broad patterns pose many challenges for functional security testing. Largely due to lack of time, inadequate reporting and/or co-ordination deficiencies, testers find it difficult to complete their tasks. Integration of functional security testing into the testing phase of the SDLC is an important part of the solution. Additionally, spotlighting the following can help ease the process for testers:

Application security has been an uphill battle at many organizations, but this year's report on internal threats is a wake up call that cannot be ignored. With a considerable number of the internal threats originating from applications, functional security testing is one of the most reliable ways to identify internal security vulnerabilities.

-----------------------------------------
About the author:Vijay Vedanabhatla GCSC is a senior application security consultant . You may contact him via email at vijayphaninder@yahoo.com.