ASASI: An Environment for Addressing Software Application Security Issues

Essafi, Mehrez; Labed, Lamia; Ghezala, Henda Ben

doi:10.1109/icsnc.2006.23

Cited by 5 publications

(4 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Part of this increased attention is from the realization that the current so-called "penetrate and patch" approach to security is inadequate Essafi, Labed, & Ghezala, 2006) because the applied patches often fix similar vulnerabilities that frequently reappear in software (Hoglund & McGraw, 2002;McGraw, 1999). For example, at the time of this writing, 13 of the 20 most severe US-CERT vulnerability notes documented over the last 10 years were buffer overflow vulnerabilities (US-CERT, 2007).…”

Section: Fundamental Question and Motivationmentioning

confidence: 94%

Secure Software Engineering: Learning from the Past to Address Future Challenges

Hein¹,

Saiedian

2009

Information Security Journal: A Global Perspective

View full text Add to dashboard Cite

This paper provides a taxonomy of secure software systems engineering (SSE) by surveying and organizing relevant SSE research and presents current trends in SSE, on-going challenges, and models for reasoning about threats and vulnerabilities. Several challenging questions related to risk assessment/mitigation (e.g., "what is the likelihood of attack") as well as practical questions (e.g., "where do vulnerabilities originate" and "how can vulnerabilities be prevented") are addressed.

show abstract

Section: Fundamental Question and Motivationmentioning

confidence: 94%

Secure Software Engineering: Learning from the Past to Address Future Challenges

Hein¹,

Saiedian

2009

Information Security Journal: A Global Perspective

View full text Add to dashboard Cite

show abstract

“… 2021 ; Essafi et al. 2006 ; Walden and Shumba 2006 ; Jayalath et al. 2020 ; Kanniah and Mahrin 2016 ; Arora et al.…”

Section: Related Researchmentioning

confidence: 99%

Human-centred cyber secure software engineering

Renaud

2022

Z. Arb. Wiss.

View full text Add to dashboard Cite

Software runs our modern day lives: our shopping, our transport and our medical devices. Hence, no citizen can escape the consequences of poor software engineering. A closely-aligned concern, which also touches every aspect of our lives, is cyber security. Software has to be developed with cybersecurity threats in mind, in order to design resistance and resilience into the software, given that they are often rooted in malicious human behaviour. Both software engineering and cyber security disciplines need to acknowledge and accommodate humans, not expect perfect performances. This is a position paper, delineating the extent of the challenge posed by this reality, and suggesting ways for accommodating the influence of human nature on secure software engineering.Practical Relevance: Socio-technical systems are made up of people, processes and technology. All can fail or be suboptimal. Software itself, being designed, developed and used by humans, is likely to malfunction. This could be caused by human error, or by malice. This paper highlights this reality, taking a closer look at all of the possible sources of malfunctioning technology. By doing so, I hope to infuse the management of socio-technical systems with an understanding and acknowledgement of this reality.

show abstract

“…Numerous resources exist which focus on security testing [8,9,11,31,31,42,51,54]. Most notably the Open Web Application Security Project (OWASP) published a guide [27] describing techniques for testing web service security issues, and assembled a cheat sheet [33] focusing on specific security topics including authentication.…”

Section: Testing Authenticationmentioning

confidence: 99%

“…Security testing is motivated by risk models, attack patterns, and use/misuse cases [11,51,54]. Respected security testing resources, such as the OWASP testing guide [27], suggest test cases in this context from the "black box" testing perspective.…”

mentioning

confidence: 99%

Replication Package for "Did You Remember To Test Your Tokens?"

Gonzalez,

Rath,

Mirakhorli

2020

View full text Add to dashboard Cite

Authentication is a critical security feature for confirming the identity of a system's users, typically implemented with help from frameworks like Spring Security. It is a complex feature which should be robustly tested at all stages of development. Unit testing is an effective technique for fine-grained verification of feature behaviors that is not widely-used to test authentication. Part of the problem is that resources to help developers unit test security features are limited. Most security testing guides recommend test cases in a "black box" or penetration testing perspective. These resources are not easily applicable to developers writing new unit tests, or who want a security-focused perspective on coverage.In this paper, we address these issues by applying a grounded theory-based approach to identify common (unit) test cases for token authentication through analysis of 481 JUnit tests exercising Spring Security-based authentication implementations from 53 open source Java projects. The outcome of this study is a developerfriendly unit testing guide organized as a catalog of 53 test cases for token authentication, representing unique combinations of 17 scenarios, 40 conditions, and 30 expected outcomes learned from the data set in our analysis. We supplement the test guide with common test smells to avoid. To verify the accuracy and usefulness of our testing guide, we sought feedback from selected developers, some of whom authored unit tests in our dataset. CCS CONCEPTS• Software and its engineering → Software testing and debugging; Software libraries and repositories; • Security and privacy → Web application security.

show abstract

ASASI: An Environment for Addressing Software Application Security Issues

Cited by 5 publications

References 13 publications

Secure Software Engineering: Learning from the Past to Address Future Challenges

Secure Software Engineering: Learning from the Past to Address Future Challenges

Human-centred cyber secure software engineering

Replication Package for "Did You Remember To Test Your Tokens?"

Contact Info

Product

Resources

About