Testing for security during development: Why we should scrap penetrate-and-patch

被引:10
作者
McGraw, G [1 ]
机构
[1] Reliable Software Technol, Sterling, VA 20166 USA
来源
IEEE AEROSPACE AND ELECTRONIC SYSTEMS MAGAZINE | 1998年 / 13卷 / 04期
关键词
D O I
10.1109/62.666831
中图分类号
V [航空、航天];
学科分类号
08 ; 0825 ;
摘要
In the commercial sector, security analysis has traditionally been applied at the network system level, after release, using tiger team approaches. After a successful tiger team penetration, specific system vulnerabilities are patched. I make a case for applying software engineering analysis techniques that have proven successful in the software safety arena to security-critical software code. This work is based on the generally held belief that a large proportion of security violations result from errors introduced during software development.
引用
收藏
页码:13 / 15
页数:3
相关论文
共 7 条
[1]  
[Anonymous], 1995, 1268 U WISC MAD
[2]  
BISHOP M, 1996, USENIX ASS COMPUTING, P131
[3]  
Cheswick WilliamR., 1994, FIREWALLS INTERNET S
[4]  
Friedman MA, 1995, SOFTWARE ASSESSMENT
[5]  
Garfinkel Simson., 1996, PRACTICAL UNIX INTER
[6]  
GHOSH A, 1996, RSTR9602301 RST CORP
[7]  
VOAS J, 1997, IN PRESS IEEE SOFTWA
1