Mutation Analysis of Magento for Evaluating Threat Model-Based Security Testing

Thomas, Lijo; Xu, Weifeng; Xu, Dianxiang

doi:10.1109/compsacw.2011.40

Cited by 5 publications

(6 citation statements)

References 20 publications

(35 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This finding is consistent with the software testing theory that states that testing aims to shows presence of defects, but it is not able to prove their absence [53]. Additionally, there is evidence in the literature that verification security methods do not identify all defects [54] [55] and some performance tools has limitations such as on temporal synchronization, GUI elements identification and incomplete implementations [56].…”

Section: E Verification Activities Only Do Not Guarantee Softwaresupporting

confidence: 74%

A Perception of the Practice of Software Security and Performance Verification

Ribeiro¹,

Cruzes²,

Travassos³

2018

2018 25th Australasian Software Engineering Conference (ASWEC)

View full text Add to dashboard Cite

Security and performance are critical nonfunctional requirements for software systems. Thus, it is crucial to include verification activities during software development to identify defects related to such requirements, avoiding their occurrence after release. Software verification, including testing and reviews, encompasses a set of activities that have a purpose of analyzing the software searching for defects. Security and performance verification are activities that look at defects related to these specific quality attributes. Few empirical studies have been focused on how is the state of the practice in security and performance verification. This paper presents the results of a case study performed in the context of Brazilian organizations aiming to characterize security and performance verification practices. Additionally, it provides a set of conjectures indicating recommendations to improve security and performance verification activities.

show abstract

Section: E Verification Activities Only Do Not Guarantee Softwaresupporting

confidence: 74%

A Perception of the Practice of Software Security and Performance Verification

Ribeiro¹,

Cruzes²,

Travassos³

2018

2018 25th Australasian Software Engineering Conference (ASWEC)

View full text Add to dashboard Cite

show abstract

“…Focus Areas and limitations are shown in given table 8. These identified limitations are complex model [3] [16] [26], annotation cost [6], accuracy [6], lack in tool maturity [10], State space explosion [13], scalability issues [16], error prone [28], time consuming [32], [36], [42], multi components with the same degree [34], performance issues [35], lack of automation [41], quality assurance [41] etc. Focus areas and limitations are shown in given Table 8.…”

Section: Rq3: Which Areas These Approaches Address and What Are The Lmentioning

confidence: 99%

Model Based Testing for Web Applications: A Literature Survey Presented

Javed¹,

Minhas²,

Abbas³

et al. 2016

JSW

View full text Add to dashboard Cite

Abstract:The World Wide Web has a great impact in the world of computing. Testing of web applications is becoming more challenging task with the tremendous growth, distributed nature, dynamic nature and heterogeneity of web applications. With the growing complexity and usage of web applications, there is a need of rigorous testing techniques for producing reliable applications. Model-based testing (MBT) is a promising paradigm for generating test cases from models of the system under test (SUT). Different techniques (based on model based testing) have been presented in the literature. The focus of this study is to present a survey of model based testing techniques with specific reference to web applications. Existing literature has been surveyed using a systematic literature review (SLR) approach. Applicability of MBT for web applications have been studied, comparison of existing approaches has been presented in the study, finally strengths and limitations of existing approaches have been highlighted.

show abstract

“…Thomas et al [150] do not provide an approach to model-based security testing. However, they point out the lack of benchmarks that may be used to test and evaluate existing model-based testing approaches.…”

Section: Approaches With Main Focus On Threat-based Security Testingmentioning

confidence: 99%

“…However, they point out the lack of benchmarks that may be used to test and evaluate existing model-based testing approaches. To this end, Thomas et al [150] present an approach to security mutation analysis which they apply on Magento, a fully-fledged open source e-commerce web application. In the approach, the authors create security mutants by injecting vulnerabilities in a systematic way.…”

Section: Approaches With Main Focus On Threat-based Security Testingmentioning

confidence: 99%

“…In particular, they consider the causes of vulnerabilities according to OWASP top 10 web application security risks [115], the application's business logic, as well as other consequences of vulnerabilities, such as STRIDE attacks [103]. In addition, using their benchmark, Thomas et al [150] evaluate the approach provided by Marback et al [93,94], and Xu [164].…”

Section: Approaches With Main Focus On Threat-based Security Testingmentioning

confidence: 99%

See 1 more Smart Citation

Approaches for the combined use of risk analysis and testing: a systematic literature review

Erdogan

Runde

et al. 2014

Int J Softw Tools Technol Transfer

View full text Add to dashboard Cite

The continuous increase of sophisticated cyber security risks exposed to the public, industry, and government through the web, mobile devices, social media, as well as targeted attacks via state-sponsored cyberespionage, clearly show the need for software security. Security testing is one of the most important practices to assure an acceptable level of security. However, security testers face the problem of determining the tests that are most likely to reveal severe security vulnerabilities. This is important in order to focus security testing on the most risky aspects of a system.In response to this challenge, the security testing community has proposed an approach to support security testing with security risk assessment (risk-driven security testing). In general, the purpose of risk-driven security testing is to focus the testing on the most severe security risks that the system under test is exposed to. However, current approaches carry out risk assessment at a high-level of abstraction (for example, business level) and then perform the testing accordingly. This is a disadvantage from a testing perspective because it leaves a gap between the risks and the test cases which are defined at a low-level of abstraction (for example, implementation level). This gap makes it difficult to identify exactly where in the system risks occur, and exactly how the risks should be tested. This also indicates that current approaches focus on risk-driven test planning at a high-level of abstraction for test management purposes, and do not necessarily focus on guiding the tester in designing test cases that have the ability to reveal vulnerabilities causing the most severe risks.This thesis proposes a model-based approach to risk-driven security testing, named CORAL, which is specifically developed to help security testers select and design test cases based on the available risk picture. The CORAL approach consists of seven steps supported by a risk analysis language. The risk analysis language is a modeling language based on UML interactions, and is formalized by an abstract syntax and a schematically defined natural-language semantics.As part of the development and evaluation process of the CORAL approach we carried out three industrial case studies. In the first two case studies, we investigated how risk assessment may be used to identify security test cases, as well as how security testing may be used to improve security risk analysis results. The experiences we obtained from these two industrial case studies helped us to, among other things, shape the CORAL approach. In the third case study we carried out the CORAL approach in an industrial setting in order to evaluate its applicability. The results indicate that CORAL supports security testers in producing risk models that are valid and directly testable. By directly testable risk models we mean risk models that can be reused and specified as test cases based on the interactions in the risk models. This, in turn, helps testers to select and design test cases according to t...

show abstract

Mutation Analysis of Magento for Evaluating Threat Model-Based Security Testing

Cited by 5 publications

References 20 publications

A Perception of the Practice of Software Security and Performance Verification

A Perception of the Practice of Software Security and Performance Verification

Model Based Testing for Web Applications: A Literature Survey Presented

Approaches for the combined use of risk analysis and testing: a systematic literature review

Contact Info

Product

Resources

About