Why Security Testing Is Hard

Authors:
Herbert H. Thompson
Affiliations:
-
Venue:
IEEE Security and Privacy
Year:
2003

Citing 1
Cited 10

Software security vulnerability testing in hostile environments

Proceedings of the 2002 ACM symposium on Applied computing

Black Box Debugging

Queue - Distributed Development
Does Trusted Computing Remedy Computer Security Problems?

IEEE Security and Privacy
Secure Software Development by Example

IEEE Security and Privacy
Report: Functional Security Testing Closing the Software --- Security Testing Gap: A Case from a Telecom Provider

ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Selective Regression Test for Access Control System Employing RBAC

ISA '09 Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance
Using implied scenarios in security testing

Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
An integrated application of security testing methodologies to e-voting systems

ePart'10 Proceedings of the 2nd IFIP WG 8.5 international conference on Electronic participation
Security mutation testing of the FileZilla FTP server

Proceedings of the 2011 ACM Symposium on Applied Computing
Practical elimination of external interaction vulnerabilities in web applications

Journal of Web Engineering
Message confidentiality testing of security protocols: passive monitoring and active checking

TestCom'06 Proceedings of the 18th IFIP TC6/WG6.1 international conference on Testing of Communicating Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Software testing is a discipline that has become pretty good at verifying requirements. Languages such as the Unified Modeling Language have made the process of moving from a specification (what the application should do) to test cases (verification that the application operates as specified) much easier. However, several types of bugs routinely escape testing. Many of these flaws are not specification violations in the traditional sense, meaning that the application might behave correctly according to requirements, but it might perform some additional, unspecified task in the process. Bugs like these would necessarily escape most automated testing because testers craft test cases to look for the presence of some correct behavior and not the absence of additional behavior. The subtle nature of most security bugs and why testing for them can be difficult is examined.