Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Quality Assurance

From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Tue, 17 Oct 2000 08:39:58 -0700
On Mon, 16 Oct 2000, Levine, Adam wrote:


Problem:  How to determine that security vulnerabilities are not introduced into
program code?  Two situations:  1) source code available (e.g., internal
development) or 2) only object code available (i.e., vendor supplied)

If you have source code, then I would argue that the QA function should perform
a compare and review all source code changes to assure that they are performing
the intended function.


I agree as well, however I have never actually seen this in a production
environment. Further, most QA folks (not all) simply do not have the skill
to exmaine and vet code at that level, typically if they had this skill
they would be coding as it tends to pay alot more.

Some companies like Microsoft use a buddy system whereby another engineer
has to vet your code for you, I think this is a pretty solid approach.


If you only have object code or as an alternative for lower risk applications,
it might be acceptable to place your application into a testing utility that
tells you about any object code that is not executed during regression testing.
Test scripts must include destructive tests (e.g., buffer overflows, control
characters).  Follow-up with the vendor on any code that is not executed.



You always have the luxury (provided the conditions are right, symbol
tables et al.) of debugging the binary and performing rigorous testing.
Or of course as you said you can get a utility to bang away at it and see
what comes out, black box testing more or less. On that note I am strong
believer that blackbox testing during audits is a fine idea. Our site
recently got broken into (by our auditors) who found two remote
vulnerabilities in a commercial software package by blackbox testing it.



First question:  It's my understanding that testing utilities such as described
above are language specific.  Can I get feedback from the list on testing
utilities that perform the function above and the associated languages handled?



Like white vampire said you are better served asking a question likke
thast to the secure programming list hosted here, I will dig up the
announcement and post it later.


Alfred Huger
VP of Engineering
SecurityFocus.com
Previous By Date Next
Previous By Thread Next

Current thread: