testingsense.com

deepshikha · Joined: 31 Aug 2007 Posts: 22

How to Design Test for white box security testing (WBST) ?

raunak · Joined: 31 Aug 2007 Posts: 7

According to Mr.Vivek Patle there are various test techniques which will help in designing the test case. Some of them are explained below

• Data Flow Analysis: In this the path is analyzed from variable definition to its use. Variable values can be used for computing values for defining other variables or as a predicate variable. When used as a predicate, it can help in traversing a specific execution path .As it is really impossible to traverse all the paths for all variables. We can run for subset of variables from definition to use. The path and use of data can help in identifying the suspicious code block.

• Code Coverage Analysis: This technique is best way to measure the test effectiveness. Test are first created and executed and then the coverage tools are run to analyze which path or statement is not covered. This helps in determining which tests are redundant. Test can be added or removed based on output of coverage tools.

• Trust Boundary Mapping: Defining zone of various trusts in a system helps in identifying the vulnerabilities because of communication between the components of a system and attack path for security violation. This can be combined with data flow to arrive at test cases which checks the chokepoints between these components.

In addition to have test according to specification, we need to have some test executed as an ad hoc / exploratory basis. The subset in which we can have these test includes the Data Mutation, Environment, Component interface, Configuration and Error handling. Also test needs to be designed based on coding standards and input validation. This will avoid various vulnerabilities like Buffer overflow, Cross Site Scripting, Format String Attack, Denial of service, Automatic user generation, SQL Injection, LDAP Injection and others which are occurred because of improper coding standards.