A Threat Model-Driven Security Testing Approach for Web Application

Yan, Bobo; Li, Xiaohong; Du, Zhijie

doi:10.1007/978-3-642-34447-3_14

Bobo Yan⁷,
Xiaohong Li⁷ &
Zhijie Du⁷

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 332))

Included in the following conference series:

International Conference on E-business Technology and Strategy

2817 Accesses
3 Citations

Abstract

Web applications have been playing a more and more essential role in daily life; hence, the problem of security is gaining more focus, and consequently a great deal of research on web application security testing has been developed. Among them, however, the most have been concentrated on the testing procedure arranged after the completion of the implementation process. In this paper, we propose a threat model-driven security testing approach for detecting threats, which consists of four activities: building threat tree, according to the attack pattern, against the threats web applications may confront; deriving a security testing sequence from thread model; deriving security testing data from UML sequence diagram parameters for extracting test inputs; generating executable security test case. Also, we proposed an algorithm for generating security testing sequences and conducted an empirical study to show the feasibility and effectiveness of our approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Pretschner, A., Ltzbeyer, H., Philipps, J.: Model Based Testing in Evolutionary Software Development. In: IEEE International Workshop on Rapid System Prototyping 2001, pp. 155–161 (2001)
Google Scholar
Belinfante, A., Frantzen, L., Schallhart, C.: 14 Tools for Test Case Generation. In: Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., Pretschner, A. (eds.) Model-Based Testing of Reactive Systems. LNCS, vol. 3472, pp. 391–438. Springer, Heidelberg (2005)
Chapter Google Scholar
Utting, M., Pretschner, A., Legeard, B.: A taxonomy of model-based testing, Technical report 04/2006, Department of Computer Science, The University of Waikato, New Zealand (April 2006)
Google Scholar
Blackburn, M., Busser, R., Nauman, A.: Why model-based test automation is different and what you should know to get started. In: International Conference on Practical Software Quality and Testing (2004)
Google Scholar
Tang, Y., Miao, H., Qian, Z.: Web Application Modeling and testing method Based on the functional components. Computer Science 36(7), 124–127+169 (2009) (in Chinese)
Google Scholar
Utting, M., Legeard, B.: Practical Model-Based Testing: A Tools Approach. Morgan-Kaufmann (2006)
Google Scholar
Marback, A., Do, H., He, K., Kondamarri, S., Xu, D.: Security test generation using threat trees. In: The Fourth International Workshop on the Automation of Software Test (AST 2009), Vancouver, Canada, May 18-19 (2009)
Google Scholar
Wang, L., Wong, W., Xu, D.: A threat model driven approach for security testing. In: The 3rd International Workshop on Software Engineering for Secure Systems, SESS 2007 (May 2007)
Google Scholar
Automated Security Test Generation with Formal Threat Models (2012)
Google Scholar
Kong, J., Xu, D., Zeng, X.: UML-based Modeling and Analysis of Security Threats. International Journal of Software Engineering and Knowledge Engineering 20(6), 875–897 (2010)
Article Google Scholar
Wang, L., Wong, W., Xu, D.: A threat model driven approach for security testing. In: The 3rd International Workshop on Software Engineering for Secure Systems (May 2007)
Google Scholar
Holz, T., Marechal, S., Raynal, F.: New Threats and Attacks on the World Wide Web. IEEE Security and Privacy (2), 72–76 (2006)
Google Scholar
Web Application Security Consortium: Threat Classification V2.0, http://www.webappsec.org/
Miao, H., Chen, S., Zeng, H.: Model-based web application testing. Journal of Computers 34(6) (June 2011) (in Chinese)
Google Scholar

Download references

Author information

Authors and Affiliations

College of Software, Tianjin University, Tianjin, China
Bobo Yan, Xiaohong Li & Zhijie Du

Authors

Bobo Yan
View author publications
You can also search for this author in PubMed Google Scholar
Xiaohong Li
View author publications
You can also search for this author in PubMed Google Scholar
Zhijie Du
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

CeBA Canada, Ottawa, ON, Canada
Vasil Khachidze
ITSB, PWGSC, Ottawa, ON, Canada
Tim Wang
Algonquin College, Woodroffe Campus, Ottawa, ON, Canada
Sohail Siddiqui
Macau University of Science and Technology, Taipa, Macau
Vincent Liu
Nationan Research Council, Ottawa, ON, Canada
Sergio Cappuccio
Carleton University, Ottawa, ON, Canda
Alicia Lim

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yan, B., Li, X., Du, Z. (2012). A Threat Model-Driven Security Testing Approach for Web Application. In: Khachidze, V., Wang, T., Siddiqui, S., Liu, V., Cappuccio, S., Lim, A. (eds) Contemporary Research on E-business Technology and Strategy. iCETS 2012. Communications in Computer and Information Science, vol 332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34447-3_14

Download citation

DOI: https://doi.org/10.1007/978-3-642-34447-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34446-6
Online ISBN: 978-3-642-34447-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics