While the goal of most software testing efforts is to verify that some feature works as specified, security testing is often about checking that some features appear to fail. Good security testers( a rare breed ) think from an attacker's view point. They thrive on breaking things. Experts on computer-security consider threat models as the fundamental basis of developing and testing secure code. One cannot build a secure system without understanding the threats to the system.
In the book "Writing Secure Code", the authors define 'Threat Model' as a security-based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves. The process of threat modeling can be generalized in four simple steps:
Determining threats (step 2) is most applicable to testing. Experts at Microsoft have categorized threats through the acronym STRIDE.
Tampering with data
Denial of service
Elevation of privilege
In this series of blogs on security testing, I will cover testing for all six categories of threats, in subsequent posts.
Spoofing identity: (STRIDE)
What it means:
An attacker fakes his/her identity, by posing as another user to access the system. An extension of this threat will be, when an invalid server is allowed to pose as a valid server. A malicious user can fake an identity to access confidential information and/or engage in activities to further compromise the system.
Insecure authentication technique, such as HTTP authentication
I would like to thank Michael Howard at Microsoft for his pragmatic approach towards evangelizing secure computing and his continuous support.
Disclaimer:The concepts mentioned in this series on Security Testing are a compilation from different sources listed in the References section following every blog. I've made an attempt to summarize and compile latest concepts on security testing from experts.
Books:Writing Secure Code (Michael Howard and David LeBlanc)
How to break Software (James Whittaker)