Article

Software security vulnerability testing in hostile environments

Authors:

Herbert H. Thompson,

James A. Whittaker,

Florence E. MottayAuthors Info & Claims

SAC '02: Proceedings of the 2002 ACM symposium on Applied computing

Pages 260 - 264

https://doi.org/10.1145/508791.508844

Published: 11 March 2002 Publication History

Get Access

Abstract

Traditional Black box software testing can be effective at exposing some classes of software failures. Security class failures, however, do not tend to manifest readily using these techniques. The problem is that many security failures occur in stressed environments, which appear in the field, but are often neglected during testing because of the difficulty to simulate these conditions. Software can only be considered secure if it behaves securely under all operating environments. Hostile environment testing must thus be a part of any overall testing strategy. This paper describes this necessity and a black box approach for creating such environments in order to expose security vulnerabilities.

References

[1]

Bowden, T.;. Segal, M., "Remediation of Application-Specific Security Vulnerabilities at Runtime", IEEE Software, Vol. 17, No. 5, pp. 59-67, September/October 2000.

Digital Library

Google Scholar

[2]

Houlihan, P., "Targeted software fault insertion," Proceedings of STAR EAST 2001 (Software Testing Analysis and Review), Software Quality Engineering, Inc., Orlando FL, 2001.

Google Scholar

[3]

Richter, J., Programming Applications for Microsoft Windows, Microsoft Press, 1997.

Digital Library

Google Scholar

[4]

Viega, J. and McGraw, G., Building Secure Software, Addison-Wesley, 2001.

Google Scholar

[5]

Viega, J.; Kohno, T.; Potter, B., "Trust (and Mistrust) in Secure Applications", Communications of the ACM, Vol. 44, No. 2, pp. 31-36, February 2001.

Digital Library

Google Scholar

[6]

Voas, J. and McGraw, G., Software fault injection: inoculating programs against errors, Wiley, NY, 1998.

Digital Library

Google Scholar

[7]

Whittaker, J., "Software's invisible users," IEEE Software, Vol. 18, No. 3, pp. 84-88 (2001).

Digital Library

Google Scholar

Cited By

View all

Stamou APantazopoulos PHaddad SAmditis A(2021)Enabling Efficient Common Criteria Security Evaluation for Connected Vehicles2021 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR51186.2021.9527905(234-240)Online publication date: 26-Jul-2021
https://doi.org/10.1109/CSR51186.2021.9527905
Maliatsos KLyvas CPantazopoulos PLambrinoudakis CKanatas AGay MAmditis A(2019)Standardizing Security Evaluation Criteria for Connected Vehicles: A Modular Protection Profile2019 IEEE Conference on Standards for Communications and Networking (CSCN)10.1109/CSCN.2019.8931344(1-7)Online publication date: Oct-2019
https://doi.org/10.1109/CSCN.2019.8931344
Tsankov PMarinovic STorabi Dashti MBasin DAhn GYung MLi N(2014)Fail-Secure Access ControlProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660307(1157-1168)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660307
Show More Cited By

Index Terms

Software security vulnerability testing in hostile environments
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Software security vulnerabilities: baselining and benchmarking
SEAD '18: Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment

The security of a company's software products is of paramount importance, of course, and arguably even more important than software reliability and the other key quality attributes. But companies are currently faced with a troublesome dilemma: Supplying ...
Security Engineering Approach to Support Software Security
SERVICES '10: Proceedings of the 2010 6th World Congress on Services

As information security and privacy become increasingly important to organizations, the demand grows for software development processes that assure information integrity, availability, and confidentiality. Unfortunately, despite the investments made in ...
Testing for Software Vulnerability Using Environment Perturbation
DSN '00: Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)

We describe a methodology for testing a software system for possible security flaws. Based on the observation that most security flaws are caused by the program's inappropriate interactions with the environment, and triggered by user's malicious ...

Comments

Information & Contributors

Information

Published In

SAC '02: Proceedings of the 2002 ACM symposium on Applied computing

March 2002

1200 pages

ISBN:1581134452

DOI:10.1145/508791

Conference Chair:
Gary B. Lamont
Air Force Institute of Technology, USA
,
Program Chairs:
Hisham Haddad
Kennesaw State Univ., USA
,
George Papadopoulos
Univ. of Cyprus, Cyprus
,
Publications Chair:
Brajendra Panda
University of Arkansas, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 March 2002

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC02

Sponsor:

SIGAPP

SAC02: 2002 ACM Symposium on Applied Computing

March 11 - 14, 2002

Madrid, Spain

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
2,058
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Stamou APantazopoulos PHaddad SAmditis A(2021)Enabling Efficient Common Criteria Security Evaluation for Connected Vehicles2021 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR51186.2021.9527905(234-240)Online publication date: 26-Jul-2021
https://doi.org/10.1109/CSR51186.2021.9527905
Maliatsos KLyvas CPantazopoulos PLambrinoudakis CKanatas AGay MAmditis A(2019)Standardizing Security Evaluation Criteria for Connected Vehicles: A Modular Protection Profile2019 IEEE Conference on Standards for Communications and Networking (CSCN)10.1109/CSCN.2019.8931344(1-7)Online publication date: Oct-2019
https://doi.org/10.1109/CSCN.2019.8931344
Tsankov PMarinovic STorabi Dashti MBasin DAhn GYung MLi N(2014)Fail-Secure Access ControlProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660307(1157-1168)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660307
Dai HMurphy CKaiser G(2012)CONFUSecurity-Aware Systems Applications and Software Development Methods10.4018/978-1-4666-1580-9.ch009(152-167)Online publication date: 2012
https://doi.org/10.4018/978-1-4666-1580-9.ch009
Morais ACavalli AMartins EOrgun MElçi AMakarevich OHuss SPieprzyk JBabenko LChefranov AShankaran R(2011)A model-based attack injection approach for security validationProceedings of the 4th international conference on Security of information and networks10.1145/2070425.2070443(103-110)Online publication date: 14-Nov-2011
https://dl.acm.org/doi/10.1145/2070425.2070443
Dai HMurphy CKaiser G(2010)CONFUInternational Journal of Secure Software Engineering10.4018/jsse.20100701031:3(41-55)Online publication date: 1-Jul-2010
https://dl.acm.org/doi/10.4018/jsse.2010070103
Dai HMurphy CKaiser G(2010)Configuration Fuzzing for Software Vulnerability Detection2010 International Conference on Availability, Reliability and Security10.1109/ARES.2010.22(525-530)Online publication date: Feb-2010
https://doi.org/10.1109/ARES.2010.22
Zeng FLi JLi LWang X(2009)Fault Injection Technology for Software Vulnerability Testing Based on XenProceedings of the 2009 WRI World Congress on Software Engineering - Volume 0410.1109/WCSE.2009.172(206-210)Online publication date: 19-May-2009
https://dl.acm.org/doi/10.1109/WCSE.2009.172
Morais AMartins ECavalli AJimenez W(2009)Security Protocol Testing Using Attack TreesProceedings of the 2009 International Conference on Computational Science and Engineering - Volume 0210.1109/CSE.2009.206(690-697)Online publication date: 29-Aug-2009
https://dl.acm.org/doi/10.1109/CSE.2009.206
Chen JLu YZhang WXie X(2009)A fault injection model-oriented testing strategy for component securityJournal of Central South University of Technology10.1007/s11771-009-0044-016:2(258-264)Online publication date: 14-Apr-2009
https://doi.org/10.1007/s11771-009-0044-0
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Software security vulnerabilities: baselining and benchmarking

Security Engineering Approach to Support Software Security

Testing for Software Vulnerability Using Environment Perturbation