2007-Aug-5 - Top 10 tips for securely testing

Matt Clapham outlines the top 10 tips testers should know to securely test applications.

1, don't test as admin.

2, test on a secure file system. Test out other file systems, such as NTFS, FAT 32, FAT 16.

3, don't change hive key local machine in registry or program files. The best place to store user data is in a hive key current user. Somewhere under their user profile or in the application data folder.

4, don't store secrets as clear-text. Only store it if it's absolutely necessary. Store a hash of the secret.

5, get adequate feature documentation.  You need to know what registry keys the feature is using or the application is using. You need to know the DLLs that are involved. You need to know where the support and temporary files are stored, and what permissions are on those. And if it's an XML data transaction you need to know the XML schema, the data types, and the sizes. Similarly if it's binary data, see if you can get some de-bug hooks that will let you look inside of the data structures and understand more about them and be able to look in them and get back out those other details you're looking for. Also find out if the feature is on by default.

6, press the limits of bad data.

7, test on a dual-processor system.

8, know the 20 laws of security.

9, use the various tools at your disposal.

10, analyze the source code.

Matt's presentation on MSDN TV: http://msdn.microsoft.com/seminar/shared/asp/view.asp?url=/msdntv/episodes/en/20030429securitymc/manifest.xml&rate=1&WMPVer=10.0.0.4036

The transcripts: http://msdn.microsoft.com/seminar/shared/asp/transcript.asp?url=/msdntv/episodes/en/20030429securitymc/manifest.xml