Design and Development (A3): SDL Activities and Best Practices 137
• In today’s competitive and rapidly changing environment, the design
assumptions on which the requirements were based may be obsolete
by the time the software is ready for testing.
• Other factors often change frequently and likely more rapidly than
your specification can keep up.
• If the software is going to use components acquired from a third
party, the original architecture may not account for future versions
that were not planned for in the initial implementation.
• The original design assumptions may not account for vulnerability
susceptibilities due to design changes or new external attacker capa-
bilities or exploits that may occur during the time taken to develop
later versions of the software.
This list highlights why software risk-based security testing as
described in this section should always augment traditional requirements-
based testing.
As mentioned previously and used as a continuing theme throughout
this book, problems found early in the software lifecycle by “building
security in” are significantly easier and less costly to correct than problems
discovered post-implementation or, worse, post-deployment. This is why
it is imperative that a disciplined approach to security reviews and tests
begin early in the SDL/SDLC process and continue post-release until the
software reaches end of life.
Software security testing takes the perspective that the tester is the
attacker. Test scenarios should be based on misuse and abuse possibilities
developed through the methodologies and threat modeling described in
Chapter 4, and should incorporate both known attack patterns as well as
anomalous interactions that seek to invalidate assumptions made by and
about the software and its environment. Comprehensive test scenarios,
test cases, and test oracles should be derived. Be sure that all that mis-
use cases developed in the previous stage are executed and thoroughly
tested. The testing of each development iteration, use case, and misuse
case will identify major design flaws early in the SDL and should catch
up to 95percent of defects well before the last phase.
1
The test environment should duplicate as closely as possible the antici-
pated execution environment in which the software will be deployed, and
it should be kept entirely separate from the development environment.
It should also provide for strict configuration management control to