Abstract \u2026...........................................................................3 Introduction ...\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026..4 Major Trends\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026...9 Who are Contributors?.......................................................20 Tools\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u202621 Tools Evaluation\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026..23 Conclusions\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026..24 Further Work\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026...25 Appendix 1 SQL Injection\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026...26 Appendix 2 .NET Application\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026.37 Appendix 3 Testing Internet Connected Systems\u2026\u2026\u2026\u202640 References\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u202651

Software application security is more than configuring a firewall or using long passwords with numbers in them. Software applications are made up of software modules or components and in the context of the Internet, these modules are highly visible. There are many opportunities for the hacker.

All students of Information Technology (IT) who write programs have it drummed into them to compartmentalise code into modules. Compartmentalisation is a core foundation of Object Oriented philosophy and arguable good programming practice for any software design paradigm. With large to mid size projects, software developers use concepts of code re-use and code off-the-shelf so software modules may not necessarily have been written by the developers of the whole application. \u201cBuilding secure software is very different from learning how to securely configure a firewall. It must be baked into the software, and not painted on afterwards\u201d [Curphey 04]. Module level security is at the heart of application security. What security risks lie in wait within these modules and how to test for them? This document discusses the role of software testing in a security oriented software development process.

Software security is not a black and white field. Business Owners want to pay for a simple silver security bullet, by following security guidelines or framework \u2013 \u201cdo it this way or follow this check list, and you\u2019ll be safe.\u201d The black and white mindset is invariably wrong. Other security testing concepts, Penetration Testing and Black Box Testing only reveal security issues for those that have been tested for. Other techniques, Code Inspection and White Box Testing, take time and money. At a technical level, security test activities are carried out to validate that the system conforms to the security requirements thereby identify potential security vulnerabilities. At a business level , these tests are conducted to protect reputation, brand, reduce litigation expenses, or conform to regulatory requirements.

Absolute security is a myth. Approaching this myth is limited by the Business Owner requirements. The Business Owner ultimately defines security by weighing up cost and time versus risk. A very secure and safe, billion dollar application, five years too late, is worthless.

The solution is multifaceted and wide: from a top level review of the Software Development Life Cycle (SDLC) process itself; to a low level re-examination of coding philosophies and algorithms.