Testing for security during development: why we should scrap penetrate-and-patch

Author

McGraw, Gary

Author_Institution

Reliable Software Technol., Sterling, VA, USA

fYear

1997

fDate

16-19 Jun 1997

Firstpage

117

Lastpage

119

Abstract

In the commercial sector security analysis has traditionally been applied at the network system level, after release, using tiger team approaches. After a successful tiger team penetration, specific system vulnerability is patched. I make a case for applying software engineering analysis techniques that have proven successful in the software safety arena to security-critical software code. This work is based on the generally held belief that a large proportion of security violations result from errors introduced during software development

Keywords

program debugging; program testing; safety-critical software; security of data; software development management; commercial sector; errors; network system level; penetrate-and-patch; program testing; security analysis; security critical software; security violations; software development; software engineering analysis techniques; software safety; system vulnerability; tiger team approach; Application software; Computer errors; Computer security; Information security; Instruments; Performance analysis; Programming; Software engineering; Software safety; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Assurance, 1997. COMPASS '97. Are We Making Progress Towards Computer Assurance? Proceedings of the 12th Annual Conference on

Conference_Location

Gaithersburg, MD

Print_ISBN

0-7803-3979-7

Type

conf

DOI

10.1109/CMPASS.1997.613270

Filename

613270