Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology

  • Gencer Erdogan
  • Per Håkon Meland
  • Derek Mathieson
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 48)


There is a need for improved security testing methodologies specialized for Web applications and their agile development environment. The number of web application vulnerabilities is drastically increasing, while security testing tends to be given a low priority. In this paper, we analyze and compare Agile Security Testing with two other common methodologies for Web application security testing, and then present an extension of this methodology. We present a case study showing how our Extended Agile Security Testing (EAST) performs compared to a more ad hoc approach used within an organization. Our working hypothesis is that the detection of vulnerabilities in Web applications will be significantly more efficient when using a structured security testing methodology specialized for Web applications, compared to existing ad hoc ways of performing security tests. Our results show a clear indication that our hypothesis is on the right track.


Security testing Web applications Scrum 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Jazayeri, M.: Some trends in Web application development. In: International Conference on Software Engineering, pp. 199–213. IEEE Computer Society, Washington (2007)Google Scholar
  2. 2.
    McDonald, A., Welland, R.: Agile web engineering (AWE) process. Technical report, Department of Computer Science, University of Glasgow, UK (December 2001)Google Scholar
  3. 3.
    Kongsli, V.: Towards agile security in web applications. In: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications (2006)Google Scholar
  4. 4.
    Ge, X., Paige, R.F., Polack, F.A.C., Chivers, H., Brooke, P.J.: Agile development of secure web applications. In: Proceedings of the 6th international conference on Web engineering. ACM, New York (2006)Google Scholar
  5. 5.
    Chivers, H., Paige, R.F., Ge, X.: Agile security using an incremental security architecture. In: Baumeister, H., Marchesi, M., Holcombe, M. (eds.) XP 2005. LNCS, vol. 3556, pp. 57–65. Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences, vol. 7, p. 185a (2005)Google Scholar
  7. 7.
    Wayrynen, J., Bodén, M., Bostrom, G.: Security Engineering and eXtreme Programming: An Impossible Marriage? In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds.) XP/Agile Universe 2004. LNCS, vol. 3134, pp. 117–128. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Beznosov, K.: Extreme Security Engineering: On Employing XP Practices to Achieve “Good Enough Security” without Defining It. In: First ACM Workshop on Business Driven Security Engineering (BizSec), Fairfax, VA (2003)Google Scholar
  9. 9.
    Agile Manifesto, (Last date accessed 2009-12-10)
  10. 10.
    Hieatt, E., Mee, R.: Going Faster: Testing The Web Application. IEEE Software 19, 60–65 (2002)CrossRefGoogle Scholar
  11. 11.
    Di Lucca, G.A., Fasolino, A.R., Faralli, F., De Carlini, U.: Testing Web applications. In: Proceedings of International Conference on Software Maintenance, pp. 310–319 (2002)Google Scholar
  12. 12.
    Di Lucca, G.A., Fasolino, A.R.: Testing Web-based applications: The state of the art and future trends. Information and Software Technology 48, 1172–1186 (2006)CrossRefGoogle Scholar
  13. 13.
    Turner, D., Fossi, M., Johnson, E., Mack, T., Blackbird, J., Entwisle, S., Low, M.K., McKinney, D., Wueest, C.: Symantec Internet Security Threat Report: Trends for July-December 2007. Technical report, Symantec Corporation, Vol. XIII (2008)Google Scholar
  14. 14.
    Thompson, H.H.: Why Security Testing Is Hard. IEEE Security & Privacy 1, 83–86 (2003)CrossRefGoogle Scholar
  15. 15.
    Tappenden, A., Beatty, P., Miller, J., Geras, A., Smith, M.: Agile security testing of Web-based systems via HTTP Unit. In: Proceedings of Agile Conference, pp. 29–38 (2005)Google Scholar
  16. 16.
    Peeters, J.: Agile Security Requirements Engineering. In: Symposium on Requirements Engineering for Information Security (2005)Google Scholar
  17. 17.
    McGraw, G.: Software Security: Building Security. Addison-Wesley, Reading (2006)Google Scholar
  18. 18.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10, 34–44 (2005)CrossRefGoogle Scholar
  19. 19.
    Røstad, L.: An extended misuse case notation: Including vulnerabilities and the insider threat. In: The Twelfth Working Conference on Requirements Engineering: Foundation for Software Quality (2006)Google Scholar
  20. 20.
    Arkin, B., Stender, S., McGraw, G.: Software penetration testing. IEEE Security & Privacy 3, 84–87 (2005)Google Scholar
  21. 21.
    Thompson, H.H.: Application penetration testing. IEEE Security & Privacy 3, 66–69 (2005)Google Scholar
  22. 22.
    The Open Web Application Security Project. OWASP Testing Guide V3.0, (Last date accessed 2009-11-13)
  23. 23.
    Rus, I., Lindvall, M.: Knowledge management in software engineering. IEEE Software 19, 26–38 (2002)CrossRefGoogle Scholar
  24. 24.
    Davidson, M.: Survey: Agile interest high, but waterfall still used by many. Agile Trends Survey (2008),,289142,sid92_gci1318992,00.html (Last date accessed 2009-11-26)
  25. 25.
    Wysopal, C., Nelson, L., Dustin, E., Nelson, L., Zovi, D.D.: The Art of Software Security Testing. Addison-Wesley, Reading (2006)Google Scholar
  26. 26.
    Erdogan, G., Baadshaug, E.T.: Extending SeaMonster to support vulnerability inspection modeling. Technical report, NTNU, Department of computer and information science (2008)Google Scholar
  27. 27.
    BugTraq mailing list, (Last date accessed 2009-11-13)
  28. 28.
    Common Vulnerabilities and Exposures, (Last date accessed 2009-11-13)
  29. 29.
    Computer Emergency Readiness Team (CERT), (Last date accessed 2009-11-13)
  30. 30.
    OWASP Top 10 vulnerabilities, (Last date accessed 2009-11-13)
  31. 31.
    Hope, P., Walther, B.: Web Security Testing Cookbook. O’Reilly, Sebastopol (2008)Google Scholar
  32. 32.
    The Open Web Application Security Project. OWASP Testing Guide V3.0, (Last date accessed 2009-12-02)
  33. 33.
    Andrews, M.: Guest Editor’s Introduction: The State of Web Security. IEEE Security and Privacy 4, 14–15 (2006)Google Scholar
  34. 34.
    PMD - Java source code scanner (Static Analysis Tool), (Last date accessed 2009-11-14)
  35. 35.
    Acunetix Web Vulnerability Scanner, (Last date accessed 2009-11-14)
  36. 36.
    SeaMonster V3.0, (Last date accessed 2009-11-14)
  37. 37.
    Baca, D., Petersen, K., Carlsson, B., Lundberg, L.: Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter? In: IEEE International Conference on Availability, Reliability and Security, pp. 804–810 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Gencer Erdogan
    • 1
  • Per Håkon Meland
    • 2
  • Derek Mathieson
    • 1
  1. 1.CERN - The European Organization for Nuclear ResearchGenève 23Switzerland
  2. 2.SINTEF ICT, System development and securityTrondheimNorway

Personalised recommendations