![]() ![]() The need for automatic testing of large-scale web applications suggests the use of model-based testing technology. Our experiments show that the security tests have killed the majority of the mutants. The mutants are created according to the common vulnerabilities in C++ and web applications. To further evaluate the vulnerability detection capability of the testing approach, the security tests have been applied to a number of security mutants where vulnerabilities are injected deliberately. The test code for most of the security tests can be generated and executed automatically. ![]() The security tests generated from these models have found multiple security risks in each system. Threat models are built systematically by examining all potential STRIDE (spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privilege) threats to system functions. ![]() We have applied this approach to two real-world systems, Magento (a web-based shopping system being used by many online stores) and FileZilla Server (a popular FTP server implementation in C++). It generates all attack paths, i.e., security tests, from a threat model and converts them into executable test code according to the given Model-Implementation Mapping (MIM) specification. This paper presents an approach to automated generation of security tests by using formal threat models represented as Predicate/Transition nets. It is highly desirable to automate or partially automate security-testing process. Security testing is labor intensive because a real-world program usually has too many invalid inputs. Security attacks typically result from unintended behaviors or invalid inputs. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |