9.2.2. Misuse Case Testing and Coverage Analysis
💡 First Principle: Software purchased, licensed, or built by third parties is still your organization's responsibility once it runs in your environment. The attack surface doesn't distinguish between code written by your developers and code written by a vendor — both execute with the same permissions on your infrastructure.
Software assessment methods (SDLC-aligned):
| Method | When | Input | Finds |
|---|---|---|---|
| Threat modeling | Design | Architecture diagrams; data flows | Design-level risks before code written |
| SAST | Implementation | Source code | Injection patterns; hardcoded secrets; insecure functions |
| Code review (manual) | Implementation | Source code | Complex logic flaws; business logic vulnerabilities; design issues |
| SCA | Implementation/Build | Dependency manifests | Known CVEs in third-party libraries |
| DAST | Testing/Staging | Running application | Input validation failures; auth issues; runtime configuration errors |
| IAST | Testing | Running app with agent | Combined SAST+DAST coverage; runtime-specific findings |
| Fuzzing | Testing | Running application inputs | Memory corruption; crash-inducing inputs |
| Penetration testing | Pre-production | Running application + environment | Exploitable chains; real-world attack paths |
Trusted computing concepts:
- Trusted Computing Base (TCB): The hardware, firmware, and software enforcing the security policy. Must be minimal, isolated, and verifiable.
- TPM (Trusted Platform Module): Hardware chip storing cryptographic keys and boot measurements; enables Secure Boot and disk encryption key protection.
- Code signing: Software signed with developer's private key; OS verifies signature before execution.
- SBOM: Machine-readable inventory of all software components; enables rapid response when a component vulnerability is disclosed.
⚠️ Exam Trap: Code signing verifies the source and integrity of software — it does not verify that the software is safe or free of vulnerabilities. A malicious developer can sign malware with their own legitimate certificate. Code signing answers "who built this?" not "is this safe to run?"
Reflection Question: Your organization is evaluating a commercial database management system that will process customer PII. Describe five specific security requirements that should appear in the procurement contract, and explain the security risk that each requirement addresses.
