Any security testing method aims to ensure that the software under test meets the security goals of the system and is robust and resistant to malicious attacks. Security testing involves taking two diverse approaches: one, testing security mechanisms to ensure that their functionality is properly implemented; and two, performing risk-based security testing motivated by understanding and simulating the attacker’s approach. White box security testing follows both these approaches and uncovers programming and implementation errors. The types of errors uncovered during white box testing are several and are very context sensitive to the software under test. Some examples of errors uncovered include
- data inputs compromising security
- sensitive data being exposed to unauthorized users
- improper control flows compromising security
- incorrect implementations of security functionality
- unintended software behavior that has security implications
- design flaws not apparent from the design specification
- boundary limitations not apparent at the interface level
White box testing greatly enhances overall test effectiveness and test coverage. It can greatly improve productivity in uncovering bugs that are hard to find with black box testing or other testing methods alone.
No comments:
Post a Comment