Risk-Based Vulnerability Testing Using Security Test Patterns | SpringerLink
Skip to main content
Springer Nature Link
Log in

Risk-Based Vulnerability Testing Using Security Test Patterns

  • Conference paper
Leveraging Applications of Formal Methods, Verification and Validation. Specialized Techniques and Applications (ISoLA 2014)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8803))

Abstract

This paper introduces an original security testing approach guided by risk assessment, by means of risk coverage, to perform and automate vulnerability testing for Web applications. This approach, called Risk-Based Vulnerability Testing, adapts Model-Based Testing techniques, which are mostly used currently to address functional features. It also extends Model-Based Vulnerability Testing techniques by driving the testing process using security test patterns selected from risk assessment results. The adaptation of such techniques for Risk-Based Vulnerability Testing defines novel features in this research domain. In this paper, we describe the principles of our approach, which is based on a mixed modeling of the System Under Test: the model used for automated test generation captures some behavioral aspects of the Web applications, but also includes vulnerability test purposes to drive the test generation process.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Wichers, D.: Owasp top 10 (October 2013), https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (last visited: February 2014)

  2. MITRE: Common weakness enumeration (October 2013), http://cwe.mitre.org/ (last visited: February 2014)

  3. Whitehat: Website security statistics report (October 2013), https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf (last visited: February 2014)

  4. Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  5. Finifter, M., Wagner, D.: Exploring the relationship between web application development tools and security. In: Proc. of the 2nd USENIX Conference on Web Application Development (WebApps 2011), Portland, OR, USA, pp. 99–111. USENIX Association (June 2011)

    Google Scholar 

  6. Utting, M., Legeard, B.: Practical Model-Based Testing - A tools approach. Morgan Kaufmann, San Francisco (2006)

    Google Scholar 

  7. Dias-Neto, A., Travassos, G.: A Picture from the Model-Based Testing Area: Concepts, Techniques, and Challenges. Advances in Computers 80, 45–120 (2010), ISSN: 0065-2458

    Google Scholar 

  8. Lebeau, F., Legeard, B., Peureux, F., Vernotte, A.: Model-Based Vulnerability Testing for Web Applications. In: Proc. of the 4th Int. Workshop on Security Testing (SECTEST 2013), Luxembourg, pp. 445–452. IEEE CS Press (March 2013)

    Google Scholar 

  9. Bouquet, F., Grandpierre, C., Legeard, B., Peureux, F.: A test generation solution to automate software testing. In: Proc. of the 3rd Int. Workshop on Automation of Software Test (AST 2008), Leipzig, Germany, pp. 45–48. ACM Press (May 2008)

    Google Scholar 

  10. Bouquet, F., Grandpierre, C., Legeard, B., Peureux, F., Vacelet, N., Utting, M.: A subset of precise UML for model-based testing. In: Proc. of the 3rd Int. Workshop on Advances in Model-Based Testing (AMOST 2007), London, UK, pp. 95–104. ACM Press (July 2007)

    Google Scholar 

  11. Botella, J., Bouquet, F., Capuron, J.F., Lebeau, F., Legeard, B., Schadle, F.: Model-Based Testing of Cryptographic Components – Lessons Learned from Experience. In: Proc. of the 6th Int. Conference on Software Testing, Verification and Validation (ICST 2013), Luxembourg, pp. 192–201. IEEE CS (March 2013)

    Google Scholar 

  12. Bach, J.: Risk and Requirements-Based Testing. Computer 32(6), 113–114 (1999)

    Google Scholar 

  13. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach, 1st edn. Springer Publishing Company, Incorporated (2010)

    Google Scholar 

  14. Vouffo Feudjio, A.G.: Initial Security Test Pattern Catalog. Public Deliverable D3.WP4.T1, Diamonds Project, Berlin, Germany (June 2012) http://publica.fraunhofer.de/documents/N-212439.html (last visited: February 2014)

  15. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the Art: Automated Black-Box Web Application Vulnerability Testing. In: Proc. of the 31st Int. Symp. on Security and Privacy (SP 2010), Oakland, CA, USA, pp. 332–345. IEEE CS (May 2010)

    Google Scholar 

  16. Allan, D.: Web application security: automated scanning versus manual penetration testing. IBM White Paper (2008) ftp://ftp.software.ibm.com/software/rational/web/whitepapers/r_wp_autoscan.pdf (last visited: February 2014)

  17. SecToolMarket: Price and Feature Comparison of Web Application Scanners (February 2014), http://www.sectoolmarket.com/ (last visited: February 2014)

  18. Schieferdecker, I., Grossmann, J., Schneider, M.: Model-based security testing. In: Proc. of the 7th Int. Workshop on Model-Based Testing (MBT 2012), Tallinn, Estonia. EPTCS, vol. 80, pp. 1–12. Open Publishing Association (March 2012)

    Google Scholar 

  19. Dadeau, F., Héam, P.-C.: Kheddam, R.: Mutation-Based Test Generation from Security Protocols in HLPSL. In: Proc. of the 4th Int. Conf. on Software Testing, Verification and Validation, Berlin, Germany, pp. 240–248. IEEE CS (March 2011)

    Google Scholar 

  20. Jürjens, J.: Model-based Security Testing Using UMLsec: A Case Study. The Journal of Electronic Notes in Theoretical Computer Science (ENTCS) 220(1), 93–104 (2008)

    Article  Google Scholar 

  21. Buchler, M., Oudinet, J., Pretschner, A.: Semi-Automatic Security Testing of Web Applications from a Secure Model. In: Proc. of the 6th Int. Conference on Software Security and Reliability (SERE 2012), Gaithersburg, MD, USA, pp. 253–262. IEEE CS (June 2012)

    Google Scholar 

  22. Takanen, A., De Mott, J., Miller, C.: Fuzzing for Software Security Testing and Quality Assurance. Artech House, Inc., Norwood (2008)

    MATH  Google Scholar 

  23. Schneider, M., Großmann, J., Tcholtchev, N., Schieferdecker, I., Pietschker, A.: Behavioral Fuzzing Operators for UML Sequence Diagrams. In: Haugen, Ø., Reed, R., Gotzhein, R. (eds.) SAM 2012. LNCS, vol. 7744, pp. 88–104. Springer, Heidelberg (2013)

    Google Scholar 

  24. Wang, L., Wong, E., Xu, D.: A threat model driven approach for security testing. In: Proc. of the 3rd Int. Workshop on Software Engineering for Secure Systems (SESS 2007), Minneapolis, MN, USA. IEEE CS (May 2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Smartesting R&D Center, 2G, Avenue des Montboucons, 25000, Besançon, France

    Julien Botella, Bruno Legeard & Fabien Peureux

  2. Institut FEMTO-ST, UMR CNRS 6174, Route de Gray, 25030, Besançon, France

    Bruno Legeard, Fabien Peureux & Alexandre Vernotte

Authors
  1. Julien Botella
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bruno Legeard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabien Peureux
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alexandre Vernotte
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Limerick, Ireland

    Tiziana Margaria

  2. TU Dortmund, Germany

    Bernhard Steffen

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Botella, J., Legeard, B., Peureux, F., Vernotte, A. (2014). Risk-Based Vulnerability Testing Using Security Test Patterns. In: Margaria, T., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification and Validation. Specialized Techniques and Applications. ISoLA 2014. Lecture Notes in Computer Science, vol 8803. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45231-8_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-45231-8_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-45230-1

  • Online ISBN: 978-3-662-45231-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation