Abstract

The crisis of insecure software has resulted in a drastic increase in the frequency and impact of cyber attacks on businesses and individual users alike. The discipline of secure software engineering has evolved as a response to this trend, with the aim of producing software with fewer coding bugs or design flaws that result in exploitable vulnerabilities. However, secure software engineering is a young discipline, and many software artifacts in current use were created before, or in ignorance of, its development. Software practitioners would benefit greatly from a rigorous methodology for analyzing and validating software that has already entered its maintenance lifecycle. In this paper, we present a combined penetrating testing methodology that incorporates strengths of several existing approaches, with the goal to understand their utility and benefit for analyzing security of existing software programs. We exercise this methodology through a case study applied to a popular tool used by many network security practitioners: Wireshark. As a contribution, our study illustrates the benefits of a combined approach and outlines recommendations for a holistic method that will improve security-based risk assessment. Specifically, we show how application of rigorous test-driven threat modeling can produce better abuse cases, which can in turn be used to inform and more precisely define penetration testing activities.