Wednesday, June 02, 2010

Test your security!

Testing security of distributed systems is a very complex thing (sure, security is complex inherently). This is because of the nature of security requirements which is functional as well as non-functional. To meet such basket of requirements, good practise is highly recommended. The subsequent bullets list the necessary steps in a proposed order to achieve this goal:
  • Document all functional and non-functional requirements and develop use case scenarios base on it (a picture helps a lot !)
  • Invite security professionals for support and guidance
  • Conduct a comprehensive threat assessment based on a well documented system architecture and (preferable) a security architecture (invite all relevant stakeholders: product management, architects, developer, test folks, …)
  • The architecture must support flexible patch and update management
  • Review the resulting design, at least the security relevant components
  • Check on all 3rd party components in detail to identify known weaknesses; if so, look for alternatives
  • Provide and teach (!) secure coding and secure design principles to the team
  • Make sure that the team has enough time to learn and to apply such rules and principles (project management must plan accordingly!)
  • Test all functional security requirements accoring to your test specification (use well documented requirements and use case scenarios to specify test cases)
  • Use tools to check your code to identify flaws and derivations from your guidelines mentioned above
  • Apply code review if tools are not sufficient
  • Use a realistic test environment (set up) to run a kinda black box test based on tools (fuzzer, etc.)
  • Test especially all user interface (focus on web based interfaces) as well as communication stacks
  • Document all testing results and establish a rating based on criticality
  • Communicate and share your experience


Chai said...

Not to mention, unit testing as a tool to combat security flaws -- nip the bud, so to speak. Endorsements for unit testing can be found in open source (for example and elsewhere (

Maik G. Seewald said...

Yip, good input. Unit tests are a line of defense inside the code. Thanx.