Abstract
Web applications have been playing a more and more essential role in daily life; hence, the problem of security is gaining more focus, and consequently a great deal of research on web application security testing has been developed. Among them, however, the most have been concentrated on the testing procedure arranged after the completion of the implementation process. In this paper, we propose a threat model-driven security testing approach for detecting threats, which consists of four activities: building threat tree, according to the attack pattern, against the threats web applications may confront; deriving a security testing sequence from thread model; deriving security testing data from UML sequence diagram parameters for extracting test inputs; generating executable security test case. Also, we proposed an algorithm for generating security testing sequences and conducted an empirical study to show the feasibility and effectiveness of our approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Pretschner, A., Ltzbeyer, H., Philipps, J.: Model Based Testing in Evolutionary Software Development. In: IEEE International Workshop on Rapid System Prototyping 2001, pp. 155–161 (2001)
Belinfante, A., Frantzen, L., Schallhart, C.: 14 Tools for Test Case Generation. In: Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., Pretschner, A. (eds.) Model-Based Testing of Reactive Systems. LNCS, vol. 3472, pp. 391–438. Springer, Heidelberg (2005)
Utting, M., Pretschner, A., Legeard, B.: A taxonomy of model-based testing, Technical report 04/2006, Department of Computer Science, The University of Waikato, New Zealand (April 2006)
Blackburn, M., Busser, R., Nauman, A.: Why model-based test automation is different and what you should know to get started. In: International Conference on Practical Software Quality and Testing (2004)
Tang, Y., Miao, H., Qian, Z.: Web Application Modeling and testing method Based on the functional components. Computer Science 36(7), 124–127+169 (2009) (in Chinese)
Utting, M., Legeard, B.: Practical Model-Based Testing: A Tools Approach. Morgan-Kaufmann (2006)
Marback, A., Do, H., He, K., Kondamarri, S., Xu, D.: Security test generation using threat trees. In: The Fourth International Workshop on the Automation of Software Test (AST 2009), Vancouver, Canada, May 18-19 (2009)
Wang, L., Wong, W., Xu, D.: A threat model driven approach for security testing. In: The 3rd International Workshop on Software Engineering for Secure Systems, SESS 2007 (May 2007)
Automated Security Test Generation with Formal Threat Models (2012)
Kong, J., Xu, D., Zeng, X.: UML-based Modeling and Analysis of Security Threats. International Journal of Software Engineering and Knowledge Engineering 20(6), 875–897 (2010)
Wang, L., Wong, W., Xu, D.: A threat model driven approach for security testing. In: The 3rd International Workshop on Software Engineering for Secure Systems (May 2007)
Holz, T., Marechal, S., Raynal, F.: New Threats and Attacks on the World Wide Web. IEEE Security and Privacy (2), 72–76 (2006)
Web Application Security Consortium: Threat Classification V2.0, http://www.webappsec.org/
Miao, H., Chen, S., Zeng, H.: Model-based web application testing. Journal of Computers 34(6) (June 2011) (in Chinese)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yan, B., Li, X., Du, Z. (2012). A Threat Model-Driven Security Testing Approach for Web Application. In: Khachidze, V., Wang, T., Siddiqui, S., Liu, V., Cappuccio, S., Lim, A. (eds) Contemporary Research on E-business Technology and Strategy. iCETS 2012. Communications in Computer and Information Science, vol 332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34447-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-34447-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34446-6
Online ISBN: 978-3-642-34447-3
eBook Packages: Computer ScienceComputer Science (R0)