SOFTWARE TESTING WITH EMPHASIS ON FINDING SECURITY DEFECTS Celso Barros, Ferrucio Rosa and Amândio Balcão CTI Renato Archer, Brazil ABSTRACT The Software Engineering discipline "Software Testing" has not provided a resource for systematically testing a software product with focus on the various aspects related to information security. This was one of the conclusions produced by a literature review conducted in the second half of 2012; a systematic literature review is now under way aiming to provide a more solid perspective on this subject. An approach based on adequately structuring the current knowledge on information security may provide support for effective security testing. KEYWORDS Information Security, Software, Testing, Knowledge Base 1. INTRODUCTION As the utilization of software products continuously increases in the contemporary world, with software assuming important roles in most of the industries and areas of activity, aspects related to information security (e.g. confidentiality, integrity, availability, reliability, authenticity) are becoming more critical than ever in the field of software engineering. Reality however has shown that information security is often neglected during the development of the software, usually becoming the focus only after the software having already been developed, or even deployed. There is a need for concern with information security since early steps in the software development cycle. Ideally, security requirements should be adequately expressed and verified through software tests carefully designed for the context of information security in which the software must execute. New software technologies, tools and architectures have been introduced and used to improve the security but resources for thoroughly testing aspects related to information security are still needed - for instance, a test criteria or a test technique specifically defined to detect security defects in a software being tested. Already identified security flaws, with solutions already made public, continue to be introduced by developers who either were not adequately trained in information security or do not have access to the solutions. Defects like these are present in software already in operation, causing problems or waiting to be activated. Questions as the following arise: how should the security requirements be described? How to assure that they are met? How to design and execute effective security tests? How to assess their coverage? Which security resources (e.g. security ontologies) already available should I use? How can I identify security defects in software already in use? Years of experience accumulated in the fields of software testing and information security suggest that resources as testing criteria and testing techniques focusing on software security are missing, and they are needed in order to address the questions above. Information security techniques and tools such as security ontologies, penetration testing, risk analysis, static code analysis and reviews, security audits, secure development, security patterns, etc, have already been used by the software industry but they have not been enough to assure high levels of information security, neither are they typical resources derived from the discipline of software testing. ISBN: 978-989-8533-20-3 © 2013 IADIS 226