Software testing is the process used to help identify the correctness, completeness, security, and/or quality of developed computer software and computer systems. Software testing is typically used in association with verification and validation. Verification is the checking of or testing of items, including software, for conformance and consistency with an associated specification and validation is the process of checking what has been specified is what the user actually wanted.
Black box testing is a method of software testing used when the tester has substantially no knowledge of the internal structure of the software application. The tester can select certain valid and invalid input to enter into the application and subsequently can determine whether the output is the correct result. The tester will typically not know why the output is the correct result or not, but will know whether the application will function as it was intended.
Another testing method is white box testing, wherein a tester uses an internal perspective of the system to design test cases based on internal structure. This testing method can require programming skills to identify substantially all paths through the software. The tester can choose test case inputs to exercise different paths through the code and determine the appropriate outputs. The following are examples of different types of software testing applications.
Canadian Patent Application No. 2,297,994 allows a tester to enter a “test request” through a graphical user interface (GUI). By entering a specific test request the user is selecting what test data is to be used from a collection of test data in that specific testing scenario.
U.S. patent application Ser. No. 11/438,961 provides an approach to testing applications for vulnerabilities at the networking level that may be as a result of loosely defined criteria and restrictions associated with the interfacing between applications, for example, the Hypertext Transfer Protocol (HTTP) interface.
U.S. patent application Ser. No. 11/226,959 provides a system for automated testing of application programs using a GUI. A user can automatically create test cases in comma-separated values (CSV) format, and execute the test data using a suitable GUI, such as Rational Functional Tester (RFT) or IBM/Tivoli Identity Manager (ITIM), which can perform functional, easily executable tests on the software applications.
U.S. patent application Ser. No. 10/050,675 describes a system and method for testing the vulnerabilities of a target computer network through a target computer by sending intrusive commands through specified ports using Transmission Control Protocol/Internet Protocol (TCP/IP) packets. The system can identify open ports that are left vulnerable to attack by routers, switches, firewalls, and other network devices or applications.
Automated web application security scanning is currently provided through the HTTP interface web server and web application. The testing that is accomplished through this method is considered to be black box testing. Black box testing is generally limited to defined interfaces, such as HTTP interfaces, whereby testing results provided by this method are generally limited to information accessible through such interfaces in combination with previously known information about the tested application. This testing format can therefore limit a security assessment of the application by restricting the amount and type of vulnerability information that is exposed through the HTTP interface. Under certain circumstances, some security vulnerabilities may exist which are not realized or identifiable through the HTTP interface. Scanners available on the market today have limited understanding of the architecture of a software application and the back end components. Having an understanding of the process flow and the activities that occur during an HTTP interface based interaction within all the applications, would provide the tester with more information which can be used when selecting which tests to send on which parts of the application instead of merely trying all options on all parts of the application.
There is therefore a need for a new system and method for the security assessment of a computing platform which can provide a desired level of assessment thereof.
This background information is provided to reveal information believed by the applicant to be of possible relevance to the present invention. No admission is necessarily intended, nor should be construed, that any of the preceding information constitutes prior art against the present invention.