Page 1419 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1419

In addition to assessing the quality of software, programmers and
               security professionals should carefully assess the security of their

               software to ensure that it meets the organization’s security
               requirements. This is especially critical for web applications that are
               exposed to the public. There are two categories of testing used
               specifically to evaluate application security:

               Static Testing Static testing evaluates the security of software
               without running it by analyzing either the source code or the compiled

               application. Static analysis usually involves the use of automated tools
               designed to detect common software flaws, such as buffer overflows.
               (For more on buffer overflows, see Chapter 21, “Malicious Code and
               Application Attacks.”) In mature development environments,
               application developers are given access to static analysis tools and use
               them throughout the design/build/test process.

               Dynamic Testing Dynamic testing evaluates the security of software

               in a runtime environment and is often the only option for
               organizations deploying applications written by someone else. In those
               cases, testers often do not have access to the underlying source code.
               One common example of dynamic software testing is the use of web
               application scanning tools to detect the presence of cross-site
               scripting, Structured Query Language (SQL) injection, or other flaws
               in web applications. Dynamic tests on a production environment

               should always be carefully coordinated to avoid an unintended
               interruption of service.

               Proper software test implementation is a key element in the project
               development process. Many of the common mistakes and oversights
               often found in commercial and in-house software can be eliminated.
               Keep the test plan and results as part of the system’s permanent
               documentation.



               Code Repositories

               Software development is a collaborative effort, and large software
               projects require teams of developers who may simultaneously work on
               different parts of the code. Further complicating the situation is the
               fact that these developers may be geographically dispersed around the
   1414   1415   1416   1417   1418   1419   1420   1421   1422   1423   1424