Security Testing Based on Attack Patterns

被引：15

作者：

Bozic, Josip ^{[1
]}

Wotawa, Franz ^{[1
]}

机构：

[1] Graz Univ Technol, Inst Software Technol, A-8010 Graz, Austria

来源：

2014 SEVENTH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION WORKSHOPS (ICSTW 2014) | 2014年

关键词：

Attack pattern; UML state machine; SQL injection; cross-site scripting; model-based testing; security testing;

D O I：

10.1109/ICSTW.2014.58

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Testing for security related issues is an important task of growing interest due to the vast amount of applications and services available over the internet. In practice testing for security often is performed manually with the consequences of higher costs, and no integration of security testing with today's agile software development processes. In order to bring security testing into practice, many different approaches have been suggested including fuzz testing and model-based testing approaches. Most of these approaches rely on models of the system or the application domain. In this paper we suggest to formalize attack patterns from which test cases can be generated and even executed automatically. Hence, testing for known attacks can be easily integrated into software development processes where automated testing, e.g., for daily builds, is a requirement. The approach makes use of UML state charts. Besides discussing the approach, we illustrate the approach using a case study.

引用

页码：4 / 11

页数：8

共 50 条

[1] Security Attack Analysis Using Attack Patterns
Li, Tong
Paja, Elda
Mylopoulos, John
Horkoff, Jennifer
Beckers, Kristian
[J]. 2016 IEEE TENTH INTERNATIONAL CONFERENCE ON RESEARCH CHALLENGES IN INFORMATION SCIENCE (RCIS), 2016, : 513 - 525
[2] Attack Pattern-Based Combinatorial Testing with Constraints for Web Security Testing
Bozic, Josip
Garn, Bernhard
Kapsalis, Ioannis
Simos, Dimitris E.
Winkler, Severin
Wotawa, Franz
[J]. 2015 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE SECURITY AND RELIABILITY (QRS 2015), 2015, : 207 - 212
[3] Security Attack Testing (SAT) - testing the security of information systems at design time
Mouratidis, Haralambos
Giorgini, Paolo
[J]. INFORMATION SYSTEMS, 2007, 32 (08) : 1166 - 1183
[4] An attack simulator for systematically testing program-based security mechanisms
Breech, Ben
Tegtmeyer, Mike
Pollock, Lori
[J]. ISSRE 2006:17TH INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING, PROCEEDINGS, 2006, : 136 - +
[5] Planning-based security testing of web applications with attack grammars
Bozic, Josip
Wotawa, Franz
[J]. SOFTWARE QUALITY JOURNAL, 2020, 28 (01) : 307 - 334
[6] Security Analysis of Information Systems Based on Attack Sequences Generation and Testing
Kryukov, Roman
Doynikova, Elena
Kotenko, Igor
[J]. INTELLIGENT DISTRIBUTED COMPUTING XIV, 2022, 1026 : 427 - 437
[7] An Attack Scenario Based Approach for Software Security Testing at Design Stage
He, Ke
Feng, Zhiyong
Li, Xiaohong
[J]. ISCSCT 2008: INTERNATIONAL SYMPOSIUM ON COMPUTER SCIENCE AND COMPUTATIONAL TECHNOLOGY, VOL 1, PROCEEDINGS, 2008, : 782 - 787
[8] Planning-based security testing of web applications with attack grammars
Josip Bozic
Franz Wotawa
[J]. Software Quality Journal, 2020, 28 : 307 - 334
[9] Assessing risk of security non-compliance of banking security requirements based on attack patterns
Rongrat K.
Senivongse T.
[J]. International Journal of Networked and Distributed Computing, 2018, 6 (1) : 1 - 10
[10] Assessing Risk of Security Non-compliance of Banking Security Requirements Based on Attack Patterns
Rongrat, Krissada
Senivongse, Twittie
[J]. INTERNATIONAL JOURNAL OF NETWORKED AND DISTRIBUTED COMPUTING, 2018, 6 (01) : 1 - 10

← 1 2 3 4 5 →