Software Security Assessment Tools Review

Software Security Assessment Tools Review

Software Security Assessment Tools Review Software Security Assessment Tools Review 2 March 2009 Jointly funded by: Assistant Secretary of the Navy Chief System Engineer 197 Isaac Hull Washington Navy Yard, DC and Naval Ordnance Safety & Security Activity Box 47, Bldg D-323 3817 Strauss Avenue Indian Head, MD 20640 Prepared by: Booz Allen Hamilton McLean, VA Software Security Assessment Tools Review Table of Contents 1. Executive Summary .................................................................................................... 1-1 2. Purpose, Scope, and Background ................................................................................ 2-1 3. Problem Space ............................................................................................................. 3-1 3.1 Threat Environment ..................................................................................................... 3-1 3.2 Properties of Interest in the Software to be Analyzed ................................................. 3-1 3.3 Nature of Software to be Analyzed ............................................................................. 3-1 3.4 Techniques for Testing ................................................................................................ 3-1 3.5 Business Case for Security Testing ............................................................................. 3-2 4. Tool Technologies ....................................................................................................... 4-1 4.1 Analysis of Source Code ............................................................................................. 4-3 4.1.1 Static Analysis Code Scanning .................................................................................... 4-3 4.1.1.1 When to Use Static Analysis Tools ............................................................................. 4-3 4.1.1.2 Required Skills ............................................................................................................ 4-4 4.1.1.3 Potential Benefits ........................................................................................................ 4-4 4.1.1.4 Drawbacks ................................................................................................................... 4-5 4.1.1.5 Static Analysis Tools ................................................................................................... 4-5 4.1.2 Source Code Fault Injection ........................................................................................ 4-9 4.1.2.1 When to Use Source Code Fault Injection .................................................................. 4-9 4.1.2.2 Required Skills .......................................................................................................... 4-10 4.1.2.3 Benefits ...................................................................................................................... 4-10 4.1.2.4 Drawbacks ................................................................................................................. 4-10 4.1.2.5 Specific Tools ............................................................................................................ 4-10 4.1.3 Dynamic Analysis ..................................................................................................... 4-11 4.1.3.1 When to Use Dynamic Analysis ............................................................................... 4-12 4.1.3.2 Required Skills .......................................................................................................... 4-12 4.1.3.3 Benefits ...................................................................................................................... 4-12 4.1.3.4 Drawbacks ................................................................................................................. 4-12 4.1.3.5 Tools .......................................................................................................................... 4-12 4.1.4 Architectural Analysis ............................................................................................... 4-13 4.1.4.1 Asset Identification .................................................................................................... 4-14 4.1.4.2 Risk Analysis ............................................................................................................. 4-14 4.1.4.3 Threat Analysis .......................................................................................................... 4-16 4.1.4.4 Architectural Risk Analysis ....................................................................................... 4-18 4.1.4.5 Organizing Risk Information ..................................................................................... 4-19 4.1.4.6 Risk Likelihood Determination ................................................................................. 4-20 4.1.4.7 Risk Impact Determination ....................................................................................... 4-21 4.1.4.8 Risk Exposure Statement ........................................................................................... 4-22 4.1.4.9 Risk Mitigation .......................................................................................................... 4-22 4.1.4.10 When to Apply Risk Analysis ................................................................................... 4-23 4.1.4.11 Tools .......................................................................................................................... 4-25 4.1.5 Pedigree Analysis ...................................................................................................... 4-27 4.1.5.1 When to Use Pedigree Analysis ................................................................................ 4-27 4.1.5.2 Benefits of Pedigree Analysis ................................................................................... 4-28 4.1.5.3 Drawbacks of Pedigree Analysis ............................................................................... 4-28 i Software Security Assessment Tools Review Table of Contents (cont'd) 4.1.5.4 Pedigree Analysis Tools ............................................................................................ 4-28 4.2 Analysis of Executables ............................................................................................ 4-29 4.2.1 Binary Code Analysis ................................................................................................ 4-29 4.2.1.1 When to Use Binary Analysis ................................................................................... 4-29 4.2.1.2 Required Skills .......................................................................................................... 4-29 4.2.1.3 Benefits ...................................................................................................................... 4-30 4.2.1.4 Drawbacks ................................................................................................................. 4-30 4.2.1.5 Specific Tools and Services ...................................................................................... 4-30 4.2.2 Disassembler Analysis Tools .................................................................................... 4-31 4.2.2.1 When to Use Disassembler Analysis ......................................................................... 4-31 4.2.2.2 Benefits ...................................................................................................................... 4-31 4.2.2.3 Drawbacks ................................................................................................................. 4-31 4.2.2.4 Specific Tools and Services for Hire ......................................................................... 4-32 4.2.3 Binary Fault Injection ................................................................................................ 4-32 4.2.3.1 When to Use Binary Fault Injection .......................................................................... 4-33 4.2.3.2 Required Skills .......................................................................................................... 4-33 4.2.3.3 Benefits ...................................................................................................................... 4-33 4.2.3.4 Drawbacks ................................................................................................................. 4-34 4.2.3.5 Tools .......................................................................................................................... 4-34 4.2.4 Fuzzing ...................................................................................................................... 4-34 4.2.4.1 When to Use Fuzzing ................................................................................................ 4-34 4.2.4.2 Required Skills .......................................................................................................... 4-35 4.2.4.3 Benefits of Fuzzing ................................................................................................... 4-35 4.2.4.4 Drawbacks ................................................................................................................. 4-36 4.2.4.5 Tools: ......................................................................................................................... 4-36 4.2.5 Malicious Code Detectors ........................................................................................

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    145 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us