Testing Code Security

The huge proliferation of security vulnerability exploits, worms, and viruses place an incredible drain on both cost and confidence for manufacturers and consumers. The release of trustworthy code requires a specific set of skills and techniques, but this information is often dispersed and decentralized, encrypted in its own jargon and terminology, and can take a colossal amount of time and data mining to find. Written in simple, common terms, Testing Code Security is a consolidated resource designed to teach beginning and intermediate testers the software security concepts needed to conduct relevant and effective tests. Answering the questions pertinent to all testing procedures, the book considers the differences in process between security testing and functional testing, the creation of a security test plan, the benefits and pitfalls of threat-modeling, and the identification of root vulnerability problems and how to test for them. The book begins with coverage of foundation concepts, the process of security test planning, and the test pass. Offering real life examples, it presents various vulnerabilities and attacks and explains the testing techniques appropriate for each. It concludes with a collection of background overviews on related topics to fill common knowledge gaps. Filled with cases illustrating the most common classes of security vulnerabilities, the book is written for all testers working in any environment, and it gives extra insight to threats particular to Microsoft Windows® platforms. Providing a practical guide on how to carry out the task of security software testing, Testing Code Security gives the reader the knowledge needed to begin testing software security for any project and become an integral part in the drive to produce better software security and safety.

Introduction, Security Vocabulary, Software Testing and Changes in the Security Landscape, All Trust Is Misplaced, Security Testing Considerations, Threat Modeling and Risk Assessment Processes, Personas and Testing, Security Test Planning, Sample Security Considerations, Vulnerability Case Study - Brute Force Browsing, Vulnerability Case Study - Buffer Overruns, Vulnerability Case Study - Cookie Tampering, Vulnerability Case Study: Cross-Site Scripting (XSS), Vulnerability Case Study: Denial of Service/Distributed Denial of Service, Vulnerability Case Study: Format String Vulnerabilities, Vulnerability Case Study: Integer Overflows and Underflows, Vulnerability Case Study: Man-in-the-Middle Attacks, Vulnerability Case Study - Password Cracking, Vulnerability Case Study - Session Hijacking, Vulnerability Case Study - Spoofing Attacks, Vulnerability Case Study - SQL Injection, Fuzz Testing, Background - Cryptography, Background - Firewalls, Background - OSI Network Model, Background - Proxy Servers, Background - TCP/IP and Other Networking Protocols, Background - Test Case Outlining (TCO), Additional Sources of Information, Index

van der Linden, Maura A.