Project Software Security Evaluation System (SSES)
Considering the daily work in the test lab, a software system has been developed which should help to apply black box tests on evaluation targets.
Various tools already exist, which can be classified more or less into one of the following categories:
- Automated or semi-automated testing tools for a very specific field of application like fuzzers for a particular protocol or more enhanced as fuzzing frameworks
- Tools which promise the fully automated testing of complex applications (security out of the box) like web application scanners
- Other software which assist testers by monitoring interfaces and operations of the test object for example
The SSES tries to bring together the advantages
The SSES tries to bring together the advantages of these approaches. It is explicitly not another try to produce a piece of software which promises a fully automated, complete security evaluation of every kind of an IT system. Moreover it should provide a tester with the tools needed for common testing situations, i.e. to involve a tester’s expertise where necessary and to perform automated testing algorithm execution where possible.
The software is developed as a centralized distributed system which consists of the following parts:
- A central unit which is used by the human tester to perform and control the tests
- Sensors which capture data in the environment of the test object or on its interfaces
- Actuators which interact with the test object in manifold variations
The SSES – a centralized distributed testing system
Only the sensors and actuators are specifically implemented for
the interfaces of the test object to its environment. The central
control unit is designed to apply similar testing algorithms to any
interface abstracted by such specific sensors and actuators. In other
words, the connection between the central control unit with the running
test processes and the test object is established via these sensors
The following figure gives an overview of this concept:
The project is currently in an early development state. The central control unit exists as a Java application with a graphical user interface to create test data injections and failure detection algorithms. The following picture is a screenshot of this graphical user interface.
The available sensors and actuators can be used to perform tests on evaluation targets with network interfaces.
The SSES has been developed in the context of a diploma thesis. It is intended to continue this work by further diploma, master or bachelor theses.
The produced software is available under GPL:
- Contact: Andreas Poller
- Diploma Thesis: Approaches for Automated Software Security Evaluations