News Stay informed about the latest enterprise technology news and product updates.

How to attack (test) software yourself

What's the best way to protect your software? Act like an attacker. Herbert H. Thompson, PhD., chief security strategist at People Security, outlines how to attack (test) software yourself.

SAN MATEO, CALIF. -- What's the best way to protect your software? Think and act like an attacker.

During his keynote address at last week's Software Security Summit, Herbert H. Thompson, PhD., chief security strategist at People Security, outlined four ways to attack (or test) software yourself: attack dependencies, attack the user interface, attack the design and attack the implementation. Here's a look a specific things to do for each scenario:

Attack the dependencies

  • Block access to libraries
  • Manipulate registry values
  • Force the application to use corrupt files (includes write protected, inaccessible, physically corrupt etc.) and file names
  • Replace files that the application reads from, writes to, creates and executes
  • Force the application to operate in low memory/disk space/ network availability conditions

Attack the user interface

  • Overflow input buffers
  • Examine all common switches, options, etc.
  • Explore escape characters, character sets and commands

Attack the design

  • Try common default and test account names and passwords
  • Expose unprotected test APIs
  • Connect to all ports
  • Fake the source of data
  • Create loop conditions in any application that interprets script, code etc
  • Use alternate routes to accomplish the same task
  • Force the system to reset values

Attack the implementation

  • Get between time of check and time of use
  • Create files with the same name as files protected with a higher classification
  • Force all error messages
  • Use look for temporary files and screen their contents for sensitive information

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.