Using CAPEC for Risk-Based Security Testing

Seehusen, Fredrik

doi:10.1007/978-3-319-26416-5_6

Fredrik Seehusen¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 9488))

Included in the following conference series:

International Workshop on Risk Assessment and Risk-driven Testing

657 Accesses

Abstract

We present a method for risk-based security testing that takes a set of CAPEC attack patterns as input and produces a risk model which can be used for security test identification and prioritization. Since parts of the method can be automated, we believe that the method will speed up the process of constructing a risk model significantly. We also argue that the constructed risk model is suitable for security test identification and prioritization.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 34.99; Price excludes VAT (USA)

Softcover Book: USD 44.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

ISO 31000:2009(E): Risk management - Principles and guidelines (2009)
Google Scholar
ISO/IEEE 29119: Software and system engineering - software testing-Part 1–4 (2012)
Google Scholar
Alam, M.M., Khan, A.I.: Risk-based testing techniques: a perspective study. Int. J. Comput. Appl. 65(1), 42–49 (2013)
Article MathSciNet Google Scholar
Casado, R., Tuya, J., Younas, M.: Testing long-lived web services transactions using a risk-based approach. In: Proceedings of 10th International Conference on Quality Software (QSIC), pp. 337–340. IEEE Computer Society (2010)
Google Scholar
Erdogan, G., Li, Y., Runde, R.K., Seehusen, F., Stølen, K.: Approaches for the combined use of risk analysis and testing: a systematic literature review. STTT 16(5), 627–642 (2014)
Article Google Scholar
Gleirscher, M.: Hazard-based selection of test cases. In: Proceedings of the 6th International Workshop on Automation of Software Test, pp. 64–70. ACM (2011)
Google Scholar
Kumar, N., Sosale, D., Konuganti, S.N., Rathi, A.: Enabling the adoption of aspects - testing aspects: a risk model, fault model and patterns. In: Proceedings of the 8th ACM International Conference on Aspect-oriented Software Development, AOSD 2009, pp. 197–206. ACM (2009)
Google Scholar
Lund, M.S., Solhaug, B., Stølen, K.: Model Driven Risk Analysis - The CORAS Approach. Springer, Heidelberg (2011)
Book Google Scholar
MITRE.: Common Attack Pattern Enumeration and Classification (CAPEC) (2015). https://capec.mitre.org (Accessed 30 March 2015)
MITRE.: Common Weakness Enumeration (CWE) (2015). https://cwe.mitre.org (Accessed 14 April 2015)
MITRE.: Common Weakness Risk Analysis Framework (CWRAF) (2015). https://cwe.mitre.org/cwraf/ (Accessed 30 March 2015)
Murthy, K.K., Thakkar, K.R., Laxminarayan, S.: Leveraging risk based testing in enterprise systems security validation. In: Proceedings of the First International Conference on Emerging Network Intelligence, pp. 111–116. IEEE Computer Society (2009)
Google Scholar
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, NSPW 1998, pp. 71–79. ACM, New York (1998)
Google Scholar
Seehusen, F.: A technique for risk-based test procedure identification, prioritization and selection. In: Margaria, T., Steffen, B. (eds.) ISoLA 2014, Part II. LNCS, vol. 8803, pp. 277–291. Springer, Heidelberg (2014)
Google Scholar
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, pp. 273–284. IEEE Computer Society, Washington (2002)
Google Scholar
Zech, P., Felderer, M., Breu, R.: Towards a model based security testing approach of cloud computing environments. In: 2012 IEEE Sixth International Conference on Software Security and Reliability Companion (SERE-C), pp. 47–56. IEEE (2012)
Google Scholar
Zech, P., Felderer, M., Breu, R.: Towards risk - driven security testing of service centric systems. In: QSIC, pp. 140–143. IEEE (2012)
Google Scholar

Download references

Acknowledgments

This work has been conducted as a part of EU project RASEN (316853) funded by the European Commission within the 7th Framework Program.

Author information

Authors and Affiliations

Department for Networked Systems and Services, SINTEF ICT, Blindern, PO Box 124, 0314, Oslo, Norway
Fredrik Seehusen

Authors

Fredrik Seehusen
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fredrik Seehusen .

Editor information

Editors and Affiliations

SINTEF ICT, Oslo, Norway
Fredrik Seehusen
Institut für Informatik, Universität Innsbruck, Innsbruck, Austria
Michael Felderer
Fraunhofer Institut FOKUS, Berlin, Germany
Jürgen Großmann
Fraunhofer Institut FOKUS, Berlin, Germany
Marc-Florian Wendland

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Seehusen, F. (2015). Using CAPEC for Risk-Based Security Testing. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2015. Lecture Notes in Computer Science(), vol 9488. Springer, Cham. https://doi.org/10.1007/978-3-319-26416-5_6

Download citation

DOI: https://doi.org/10.1007/978-3-319-26416-5_6
Published: 13 November 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26415-8
Online ISBN: 978-3-319-26416-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics