Application security testing tools are being sold as a solution to the problem of insecure software. However, these solutions aren't all they're cracked up to be. They may help us diagnose, describe, and demonstrate security problems, but they do little to help us fix them. Today's application security testing tools treat software applications as "black boxes," prone to misbehavior and in need of probing and prodding to prevent security disaster. Unfortunately, this approach is too simple. Software testing requires planning. It should be based on software requirements and the architecture of the code under test. You can't "test quality in" by painstakingly finding and removing bugs once the code is finished. The same goes for security: Running a handful of canned tests that simulate malicious hackers by sending malformed input streams to a program won't work. Real attackers don't simply "fuzz" a program with input to find problems. They take software apart, determine how it works, then make it misbehave by doing what users aren't supposed to do. Black box tests only scratch the surface of software, instead of digging into its guts to secure things from the inside.

 

Read more