Security Assessment Techniques for Software Assurance - a "Virtual Team" Approach

Software Assurance / Software "Security" often imposes a requirement that applications be tested in a "live" (or as close to as is practicable) system - this often includes the surrounding implementation environment as greater fidelity is needed for critical application testing and implementation confidence levels. Merely installing the software and performing a "short list" verification activity is insufficient - actual " hands on" execution of the software is needed - and when this can be done in a simulated live environment - a higher confidence level can be extended to the application target of evaluation (TOE) for implementation. This task is daunting not because of the nature of the testing - but of the need to setup and subsequently tear-down systems to participate in the performance of these tests. Fortunately - there are tools and techniques for testing application security - using a reduced set of hardware and yet maintaining operational fidelity. Virtual Machines (VM)'s and virtual network environments (team architectures) offer a method for providing this level of testing confidence while allowing for a greater variety of tests and test participant systems. This paper presents a series of architectures and scenarios proposed to implement such a testing environment that retains the viability (and fidelity) of a 'real-world' network environment while providing an isolated and restricted test and analysis area. This is shown through a series of scenarios and VM Team setups (scenario players) in a virtual machine based environment. This approach allows a number of benefits: Isolation of the testing environment Focus on the Target of Evaluation (TOE) for testing Capture and provide metrics on tool and technique usage and impact Provide limits and mitigation of risk and liability issues for the TOE The VM environment also offers a unique opportunity to simulate interactions between various known systems under test (TOE)'s in a 'replicated' environment. A set of proposed scenarios and an environmental architecture, including toolsets and targets of evaluation (TOE) systems is proposed. The applicability of the VM 'team' systems approach is discussed through a suite of scenarios designed to illustrate System evaluation, monitoring, and detection.