Building Security In - Penetration Testing

The latest article in Gary McGraw's column in IEEE Security & Privacy magazine is on "Software Penetration Testing". It was co-authored by Brad Arkin and Scott Stender and goes into good detail on the benefits and drawbacks on using pentests as part of quality assurance tests for secure software engineering.

There was one part that really sums up the article.

However, it’s unreasonable to verify that a negative doesn’t exist by merely enumerating actions with the intention to produce a fault, reporting if and under which circumstances the fault occurs. If "negative" tests don't uncover any faults, we've only proven that no faults occur under particular test conditions; by no means have we proven that no faults exist. When applied to security testing, where the lack of a security vulnerability is the negative we're interested in, this means that passing a software penetration test provides very little assurance that an application is immune to attack. One of the main problems with today's most common approaches to penetration testing is misunderstanding this subtle point.

Amen. Well said.

Happy reading!