Tuesday, October 30, 2007. 9:00am

What makes software testing for security any different than normal software testing?  Part of the answer is tied up in expertise, experience and attitude. Security testing comes in two flavors and must involve both standard functional security testing—making sure that security apparatus works as advertised—and risk-based testing—malicious testing that simulates attack. Risk-based security testing should be driven by architectural risk analysis results, abuse and misuse cases, and attack patterns. Unfortunately, first generation “application security” testing misses the mark on all fronts.  That’s because canned black box probes can at best show you that things are broken, but in the end say very little about security posture.  This talk is about what software security testing should look like, what kinds of knowledge testers need to carry out such testing, and what results may say about security.

About Gary McGraw, PhD. 

Gary McGraw, Ph.D.

His other titles include Java Security, Building Secure Software, and Exploiting Software; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com , and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.

---