Cyberpatterns pp 135-148 | Cite as

Towards a Penetration Testing Framework Using Attack Patterns

  • Clive BlackwellEmail author


The problems of system security are well known, but no satisfactory methods to resolve them have ever been discovered. One heuristic method is to use a penetration test with the rationale of finding system flaws before malicious attackers. However, this is a craft-based discipline without an adequate theoretical or empirical basis for justifying its activities and results. We show that both the automated tool and skill-based methods of pen testing are unsatisfactory, because we need to provide understandable evidence to clients about their weaknesses and offer actionable plans to fix the critical ones. We use attack patterns to help develop a pen-testing framework to help avoid the limitations of current approaches.


  1. 1.
    Gamma E, Helm R, Johnson R, Vlissides J. Design patterns: elements of reusable object-oriented software. Boston: Addison-Wesley; 1995.Google Scholar
  2. 2.
    Barnum S, Sethi A. Introduction to attack patterns. Cigital Inc. (2006). (Revised 14 May 2013). Accessed 23 Sept 2013
  3. 3.
    Moore AP, Ellison RJ, Linger RC. Attack modeling for information security and survivability. No. CMU-SEI-2001-TN-001. Software Engineering Institute, Carnegie Mellon University, Pittsburgh; 2001.Google Scholar
  4. 4.
    Hoglund G, McGraw G. Exploiting software: how to break code. Boston: Addison-Wesley; 2004.Google Scholar
  5. 5.
    Barnum S, Sethi A. Attack patterns as a knowledge resource for building secure soft-ware. Cigital Inc. (2007). Accessed 23 Sept 2013.
  6. 6.
    Mitre Corporation: Common attack pattern enumeration and classification (CAPEC). (2013). Accessed 23 Sept 2013.
  7. 7.
    Blackwell C. Formally modelling attack patterns for forensic analysis. In: 5th international conference on cybercrime forensics education and training. Canterbury; 2011.Google Scholar
  8. 8.
    Williams L. Testing overview and black box testing techniques. Open seminar in software engineering. North Carolina State University. (2006). Accessed 26 September 2013.
  9. 9.
    Miller BP, Barton P, Fredriksen L, So B. An empirical study of the reliability of UNIX utilities. Commun ACM. 1990; 33(12):32–44.Google Scholar
  10. 10.
    Williams L. White black box testing. Open seminar in software engineering. North Carolina State University. (2006). Accessed 26 September 2013
  11. 11.
    Kicillof N, Grieskamp W, Tillmann N, Braberman V. Achieving both model and code coverage with automated gray-box testing. In: Proceedings of the 3rd international workshop on advances in model-based testing. ACM. 2007; pp. 1–11.Google Scholar
  12. 12.
    Geer D, Harthorne J. Penetration testing: a duet. In: Proceedings of the 18th annual computer security applications conference (IEEE); 2002.Google Scholar
  13. 13.
    Hedayat AS, Sloane NJA, Stufken J. Orthogonal arrays: theory and applications. New York: Springer; 1999.Google Scholar
  14. 14.
    Takanen A, DeMott JD, Miller C. Fuzzing for software security testing and quality assurance. Norwood: Artech House; 2008.Google Scholar
  15. 15.
    Kaminsky D. Black ops 2006: Pattern recognition. Usenix LISA ’06. (2006) Accessed 7 Oct 2013.
  16. 16.
    OISSG: The information systems security assessment framework (ISSAF) Draft 0.2.1. OISSG. (2005). Accessed 5 Oct 2013.
  17. 17.
    Barceló M, Herzog P. Open Source security testing methodology manual (OSSTMM) ver 3. ISECOM. (2010). Accessed 5 Oct 2013.
  18. 18.
    ISECOM: Security test audit report. ISECOM. (2010). Accessed 5 Oct 2013.
  19. 19.
    Penetration Testing Execution Standard Team: Penetration testing execution standard. (2013). Accessed 5 Oct 2013.Google Scholar
  20. 20.
    Meucci M, Keary E, Cuthbert D. OWASP testing guide ver 3.0. OWASP foundation. (2008). Accessed 5 Oct 2013.
  21. 21.
    Schneier B. Attack trees: modeling security threats. Dr. Dobb’s J. 1999;24:21–29.Google Scholar
  22. 22.
    Swiderski F, Snyder W. Threat modeling. Redmond: Microsoft Press; 2004.Google Scholar
  23. 23.
    Fowler M. UML distilled: a brief guide to the standard object modeling language. 3rd ed. Reading: Addison-Wesley Professional; 2003.Google Scholar
  24. 24.
    Blackwell C. A strategy for formalising attack patterns. Cyberpatterns 2012. In: Cyberpatterns: unifying design patterns with security. attack and forensic patterns. Springer; 2014.Google Scholar
  25. 25.
    Myers G. The art of software testing. Chichester: Wiley; 2004.Google Scholar
  26. 26.
    Kolawa A, Huizinga D. Automated defect prevention: best practices in software management. New York: Wiley-IEEE Computer Society Press; 2007. p. 73.Google Scholar
  27. 27.
    Christey S, Brown M, Kirby D, Martin B, Paller A. CWE/SANS Top 25 most dangerous software errors. Mitre corporation. (2011). Accessed 9 Oct 2013.
  28. 28.
    Williams J, Wichers D. OWASP top 10–2013. OWASP foundation. (2013). Accessed 9 Oct 2013.
  29. 29.
    Bayley I, Zhu H. A formal language for the expression of pattern compositions. Int J Adv Softw IARIA. 2011; 4(3,4):354–366.Google Scholar
  30. 30.
    Taibi T. Formalising design patterns composition. IEE Proc. Softw. IET. 2006; 153(3):127–136.Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Department of Computing and Communication TechnologiesOxford Brookes University, Wheatley CampusOxfordUK

Personalised recommendations