Penetration Testing mailing list archives
Re: [PEN-TEST] Quality Assurance
From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Tue, 17 Oct 2000 08:39:58 -0700
On Mon, 16 Oct 2000, Levine, Adam wrote:
Problem: How to determine that security vulnerabilities are not introduced into program code? Two situations: 1) source code available (e.g., internal development) or 2) only object code available (i.e., vendor supplied) If you have source code, then I would argue that the QA function should perform a compare and review all source code changes to assure that they are performing the intended function.
I agree as well, however I have never actually seen this in a production environment. Further, most QA folks (not all) simply do not have the skill to exmaine and vet code at that level, typically if they had this skill they would be coding as it tends to pay alot more. Some companies like Microsoft use a buddy system whereby another engineer has to vet your code for you, I think this is a pretty solid approach.
If you only have object code or as an alternative for lower risk applications, it might be acceptable to place your application into a testing utility that tells you about any object code that is not executed during regression testing. Test scripts must include destructive tests (e.g., buffer overflows, control characters). Follow-up with the vendor on any code that is not executed.
You always have the luxury (provided the conditions are right, symbol tables et al.) of debugging the binary and performing rigorous testing. Or of course as you said you can get a utility to bang away at it and see what comes out, black box testing more or less. On that note I am strong believer that blackbox testing during audits is a fine idea. Our site recently got broken into (by our auditors) who found two remote vulnerabilities in a commercial software package by blackbox testing it.
First question: It's my understanding that testing utilities such as described above are language specific. Can I get feedback from the list on testing utilities that perform the function above and the associated languages handled?
Like white vampire said you are better served asking a question likke thast to the secure programming list hosted here, I will dig up the announcement and post it later. Alfred Huger VP of Engineering SecurityFocus.com
Current thread:
- [PEN-TEST] Quality Assurance Levine, Adam (Oct 16)
- Re: [PEN-TEST] Quality Assurance White Vampire (Oct 17)
- Re: [PEN-TEST] Quality Assurance Alfred Huger (Oct 17)