Testing for security during development: why we should scrap penetrate-and-patch

Author

McGraw, Gary

Author_Institution

Reliable Software Technol., Sterling, VA, USA

Volume

13

Issue

4

fYear

1998

fDate

4/1/1998 12:00:00 AM

Firstpage

13

Lastpage

15

Abstract

In the commercial sector, security analysis has traditionally been applied at the network system level, after release, using tiger team approaches, After a successful tiger team penetration, specific system vulnerabilities are patched. I make a case for applying software engineering analysis techniques that have proven successful in the software safety arena to security-critical software code. This work is based on the generally held belief that a large proportion of security violations result from errors introduced during software development

Keywords

safety-critical software; security of data; software development management; adaptive vulnerability analysis algorithm; design for security; dynamic execution; fault injection technique; penetrate-and-patch; security during development; security-critical software code; software engineering analysis techniques; software safety; software vulnerability; testing; tiger team penetration; white-box analysis; Application software; Computer errors; Computer security; Information security; Instruments; National security; Programming; Software engineering; Software safety; Software testing;

fLanguage

English

Journal_Title

Aerospace and Electronic Systems Magazine, IEEE

Publisher

ieee

ISSN

0885-8985

Type

jour

DOI

10.1109/62.666831

Filename

666831