SDL Practice #11:
Perform Dynamic Analysis
|
SDL Practice #12:
Fuzz Testing
|
SDL Practice #13:
Attack Surface Review
|
|
Dynamic analysis is run-time verification of your software, leveraging tools which monitor application behavior for memory corruption, user privilege issues, and other critical security problems.
|
Fuzz Testing is a specialized form of dynamic analysis that induces program failure by deliberately introducing malformed or random data to an application.
|
Attack surface review is a security practice that ensures any design or implementation changes to the system have been taken into account, and that any new attack vectors created as a result of the changes have been reviewed and mitigated including threat models.
|
|
Why should I follow this practice?
|
|
Dynamic analysis ensures software functionality works as designed.
|
Fuzz testing is an effective way to find potential security issues prior to release while requiring modest resource investment.
|
Attack surface review is a security practice that ensures any design or implementation changes to the system have been taken into account, and that any new attack vectors created as a result of the changes have been reviewed and mitigated including threat models.
|
|
When should I employ this practice?
|
|
Traditional software development: Verification Phase
Agile development: Bucket/Verification
|
Traditional software development: Verification Phase
Agile development:Bucket/Verification
|
Traditional software development: Requirements Phase;
Agile development: Bucket/Verification
|
|
Resources specific to this practice
|
|
|
|
|
|
Tools specific to this practice
|
|
|
|
|
