[Today we have our first guest blog entry from Elfriede Dustin. Elfriede is a co-author of "The Art of Software Security Testing" and has written a few books on software testing, most notably, "Automated Software Testing" published by Addison-Wesley in 1999. We have heard plenty from security experts on how to fix the software development process to produce more secure software. Elfriede brings a QA practitioners viewpoint. I'd like to hear more from the testing community on this topic. - Chris Wysopal]

The Software Trustworthiness Framework (STF©)
by Elfriede Dustin

Recently I presented the topic “Automated Software Testing” at …

I’ve always been a fan of Joel Spolsky’s Guerrilla Guide to Interviewing. Unfortunately, I’ve never been able to apply it in its purest form because in recent years, I’ve been hiring mostly application security consultants, not software engineers. However, the structure is still remarkably useful, with some modifications. So, without further ado, here’s an example of how one might apply Guerrilla Guide techniques when interviewing a candidate for an application penetration testing position.

Sample Question #1: What is the difference between a GET and a POST?

Note that I’m not violating the Guerrilla Guide’s “no trivia questions” rule …

It occurs to me that security, in general, has historically been measured as a function of a few inputs. Proactivity (locking up early), accuracy (locking things correctly), and completeness (locking all the doors). What’s missing from this equation is the fact that people often lock their valuables away and assume that they’re safe indefinitely that way. All codes, passwords, and locks degrade in value over time, and need to be replaced with better models. In any inherently insecure medium, such as the moving parts of software, security naturally erodes as requirements shift.

There’s a common misconception that security …

In part I of this article I wrote about the history of vulnerability research and how researchers having legal access to the software and hardware they need to conduct their research is a pre-requisite. This is why there was such little research on software before 1996.

Not only is legal access important but being able to run the software in a lab environment is important. Pure black box testing is very inefficient for finding security bugs. You need to instrument the running program and be able to perform static analysis. This usually takes the form of using debuggers and shims …

There is no doubt that Web 2.0 is upon us. The software we use everyday is migrating from our desktops, laptops and company servers to the great data centers in the sky. The first application to move to the cloud was e-mail, then picture and file sharing services, and now traditional desktop applications such as calendaring, task lists, spreadsheets and word processing are all available via the web. Soon there will be little need for the average computer user to have any applications running on their desktop at all except for a web browser with media player plug-ins.

[Update, 1/6/07: Google has implemented a workaround for this vulnerability on their servers, so the proof-of-concept links in this posting will no longer demonstrate the exploit]

Cross-site scripting (XSS) just got a lot scarier. At the 23rd CCC, Stefano Di Paola and Giorgio Fedon announced a new attack vector which basically puts any site hosting a PDF file at risk for XSS. The attacker doesn’t need to control the PDF, the mere existence of the PDF file on the server is enough. Here’s a basic example (if an alert box pops up, you’re vulnerable):

http://www.google.com/ads/techb2b_news.pdf#foo=javascript:alert(‘XSS’)

And of course …

Zero in a Bit is a blog about software security. We believe the root cause of most of the security problems today is insecure software. The internet is a global neighborhood where every digital miscreant is your next door neighbor. Far too often, software is the broken window allowing criminals access to the data and transactions organization need to protect.

Zero in a Bit is laser focused on software security. If we talk about vulnerabilities in the internet infrastructure we won’t be dissecting routing protocols, we will be analyzing integer overflows in routing software. When …