Next generation public health: towards precision and fairness

2010

Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle.In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledgebase, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach.

show abstract

Framework testing of web applications using TTCN-3

Int J Softw Tools Technol Transf

2008

Using TTCN-3 as a modeling language for web penetration testing

2012

Abstract-Penetration testing is widely used for vulnerability assessment of web applications. Usually, it is performed by specialized security experts after development is completed and the application deployed into production, but recent research has proposed a model based penetration test framework for web applications which provides a repeatable, systematic and costefficient approach fully integrated into a security-oriented software development life cycle. In this context, we evaluate the test specification language TTCN-3 as a modeling language for web penetration testing and show how its inherent abstraction features make the process of generating web penetration test campaigns easier. In particular, we demonstrate the advantages of combining separate models for the relevant web vulnerabilities and web application functionalities, with a generic web abstraction model and a TTCN-3 test framework model.

show abstract

Model-Based Penetration Test Framework for Web Applications Using TTCN-3

2009

A Systematic Approach to Web Application Penetration Testing Using TTCN-3

2011