Security Test cases - Software-Testing

Tester wrote:

> I need to do the security testing for a website. I need to develop
> security test cases. Can anyone help me with that?

Read /How to Break Software/ by James Whittaker. It focusses on discovering
the kinds of loopholes that malicious users can exploit.

Then translate as many of its manual experiments as possible into automated
tests. If you can't, ask your developers for better hooks and Design For
Testing.

--
Phlip
http://c2.com/cgi/wiki?ZeekLand <-- NOT a blog!!!

On Tuesday 01 August 2006 05:19, Tester wrote:
> I need to do the security testing for a website. I need to develop
> security test cases. Can anyone help me with that?

You might find the OWASP site useful
http://www.owasp.org/
particularly the Top Ten and Testing sections.

-paul-
--
Paul E. Black (p.black{}acm.org)

Hello ,

> Tester wrote:
> I need to do the security testing for a website. I need to develop
> security test cases. Can anyone help me with that?

What do you mean by this? I guess most of the security issues are
handled by the webserver itself. Are you using a standard webserver or
self developed webserver. If it is a standard webserver, then there is
nto need to do a security testing. If there are any security issues in
the webserver, then that team will release a patch for which you can
watchout! If you are using self developed webserver, then you should
test the webserver. For any important exchange of data between the
client/server, try to use https, instead of http.

Best Regards,
Vivekanandan M

It would help if you described exactly what you meant. For application
security, the Whittaker books mentioned already would be a start.

Chris McMahon (http://chrismcmahonsblog.blogspot.com/) also wrote about
a tool called Nessus (http://www.nessus.org/) for testing server
security. I've not used this, but it looks interesting.

Jared


Tester wrote:
> I need to do the security testing for a website. I need to develop
> security test cases. Can anyone help me with that?
>
> Thanks

Vivekanandan M wrote:

> > I need to do the security testing for a website. I need to develop
> > security test cases. Can anyone help me with that?
>
> What do you mean by this? I guess most of the security issues are
> handled by the webserver itself. Are you using a standard webserver or
> self developed webserver. If it is a standard webserver, then there is
> nto need to do a security testing. If there are any security issues in
> the webserver, then that team will release a patch for which you can
> watchout! If you are using self developed webserver, then you should
> test the webserver. For any important exchange of data between the
> client/server, try to use https, instead of http.

I would counsel anyone reading this thread to ignore Vivekanandan's
answer, except as an outrageous example of gross ignorance of security
issues, critical thinking, context, systems thinking, and testing
itself.

On the other hand, it's nearly impossible to answer the original
question because it too is free of context; it's right up there with
"how do I test?" In general there are eight things that we have to do
in any testing situation: we have to model the test space; figure out
what constitutes good coverage (the set of mental models by which we
will test, and the extent to which we've tested based on those models);
figure out what we will use for oracles (principles or mechanisms by
which we recognize problems); figure out what we actions we need to
perform; set up the test system; operate it; observe the results; and
evaluate the results.

Your biggest security risk on this project lies in not knowing
sufficient things about security. Those who are going to want to
compromise the system probably know more than you do. It's important
that your project manager knows that this is the biggest risk, and that
he/she gets you some training and/or gets help from a specialist.

There are numbers of resources that might help readers to understand
the issues and some of the testing approaches to them. Whittaker's
"How to Break Software Security" is good (as is the book on which it's
based, "How to Break Software"). I've found even more value in
"Hacking Web Applications Exposed"--I believe that it's by McClure and
Scambray. They were involved with Foundstone
security--www.foundstone.com, now a part of McAfee--and there is some
material on that site that you might find useful. You can also try
Googling for "security tutorial" and see what you get.

One more thing: for some security issues, we don't need to operate the
software to identify a problem. Many security violations are inside
jobs; many security breaches are accomplished with the unwitting
participation of insiders, too. Consider: if underpaid, unmotivated,
untrained, unaware people are given responsibility for millions of
dollars, the system is probably exploitable via one of those people.
It's possible and easy to test the technological end of the security
system while ignoring the human risks.

---Michael B.