Adapting Penetration Testing for Software Development Purposes

Abstract

This article provides background information on penetration testing processes and practices. It then discusses the issues related to integratingpenetration testing into a software development life cycle by describing the pitfalls associated with traditional penetration testing practices as well as making recommendations for improving these practices. A related article describes types and examples of penetration testing tools.Today's software penetration testing tools, practices, and (to some degree) staff have been developed and improved for an IT Security user base, primarily. However, to effectively make use of these elements in a software development environment takes careful thought and clear goals. For example, most existing penetration testing tools and services offer a fairly rigid technology-centric perspective of their respective findings. This is in stark contrast with the software security touchpoints recommended here on the BSI portal, where a more business risk approach is stressed. The business and architectural risk analysis process should serve as a prioritization input to penetration (and other security) testing processes. However, that is not generally what happens in todays environment [Arkin 2005, Janardhanudu 2005, Michael 2005]. To get around this, and to get closer to the practices discussed here on BSI, this document provides a description of and recommendations for a penetration testing process and methodology that is more suited to the needs of software developers than is typically found today. Additionally, the document provides both a conceptual as well as a more specific survey of the tools available today for conducting penetration testing. This tool survey is then balanced against the need for trained, skilled, and highly motivated testing staff. Staff training is addressed and compared against mentoring or apprenticeship types of on the job training processes.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2007
Accession Number
AD1180049

Entities

People

  • Kevin Van Wyk

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Application Software
  • Commerce
  • Computer Network Security
  • Computer Program Documentation
  • Computer Programming
  • Computer Programs
  • Computers
  • Debugging
  • Engineering
  • Engineers
  • Information Security
  • Life Cycles
  • Operating Systems
  • Risk
  • Software Development
  • Software Testing
  • Test Methods
  • User Interface
  • Vulnerability
  • Web Applications

Fields of Study

  • Computer science
  • Engineering

Readers

  • Instructional Design and Training Evaluation.
  • Organizational Process Management (OPM).
  • Software Engineering.