Page 103 - SOFTWARE TESTING & QUALITY ASSURANCE
P. 103
Software Testing and Quality Assurance
Hackers make use of weak codes in the software to carry out an attack on the software and cause
software failure. Therefore, any such vulnerability is considered as a bug. It is the responsibility of the
tester to make sure that any such bug in the software is detected and reported to the development team.
Information and services are the two important aspects of software security. Protecting both the
information and services from possible external attack is vital. Therefore, risk analysis should be carried
out at the design level so as to identify any potential security problems and resolve them at the earliest.
In 2008, hackers from Russia robbed an Automatic Teller Machine (ATM) in
New York. The hackers were able to obtain the PIN numbers of customers after
they hacked the main server of the ATM company. They managed to steal
$180,000 from ATM machine.
Software security testers perform many different tasks to manage risks related to
software security such as:
1. Creating security abuse/misuse cases.
2. Listing normative security requirements.
3. Performing architectural risk analysis.
4. Building risk-based security test plans.
5. Wielding static analysis tools.
6. Performing security tests.
7. Performing penetration testing in the final environment.
8. Cleaning up after security breaches.
Basically, security testing involves two approaches:
1. Testing software security mechanisms to check whether the functionalities of this mechanism are
properly implemented during the software product design and coding.
2. Performing the risk based security testing with the perspective of an attacker and developing test
cases to check for possible risks.
The tester should make sure that they identify all possible bugs in the software to minimize the risk of
software being prone to any external attack from hackers.
7.2.1 Threat Modeling
The process of assessing and documenting the system's vulnerability to security risks is known as
security threat modeling. It enables the organization or developers to understand the various threats
that the system can face. To achieve this, the tester will analyze the system with an attacker’s
perspective. This enables the tester to identify the possible threats and rate them based on order of
threat severity i.e., greater the risk, higher the order of severity. This enables the organization or
developers to address the risk which can pose a greater risk to the system.
Threat modeling is a highly structured and organized approach of threat identification. It is also a
highly cost effective approach, which helps to identify the possible threats efficiently and effectively.
The principle behind the model is that "one cannot make the system secure until they know the threats
the system can face".
Threat modeling helps to identify and tackle the risk during software evolution. It should be carried out
at every level of software development life cycle, as identifying and resolving threats of a fully
developed product require both time and cost.
96 LOVELY PROFESSIONAL UNIVERSITY
