Using CAPEC for Risk-Based Security Testing

  • Fredrik SeehusenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9488)


We present a method for risk-based security testing that takes a set of CAPEC attack patterns as input and produces a risk model which can be used for security test identification and prioritization. Since parts of the method can be automated, we believe that the method will speed up the process of constructing a risk model significantly. We also argue that the constructed risk model is suitable for security test identification and prioritization.


Risk assessment Testing Security Risk-based testing 



This work has been conducted as a part of EU project RASEN (316853) funded by the European Commission within the 7th Framework Program.


  1. 1.
    ISO 31000:2009(E): Risk management - Principles and guidelines (2009)Google Scholar
  2. 2.
    ISO/IEEE 29119: Software and system engineering - software testing-Part 1–4 (2012)Google Scholar
  3. 3.
    Alam, M.M., Khan, A.I.: Risk-based testing techniques: a perspective study. Int. J. Comput. Appl. 65(1), 42–49 (2013)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Casado, R., Tuya, J., Younas, M.: Testing long-lived web services transactions using a risk-based approach. In: Proceedings of 10th International Conference on Quality Software (QSIC), pp. 337–340. IEEE Computer Society (2010)Google Scholar
  5. 5.
    Erdogan, G., Li, Y., Runde, R.K., Seehusen, F., Stølen, K.: Approaches for the combined use of risk analysis and testing: a systematic literature review. STTT 16(5), 627–642 (2014)CrossRefGoogle Scholar
  6. 6.
    Gleirscher, M.: Hazard-based selection of test cases. In: Proceedings of the 6th International Workshop on Automation of Software Test, pp. 64–70. ACM (2011)Google Scholar
  7. 7.
    Kumar, N., Sosale, D., Konuganti, S.N., Rathi, A.: Enabling the adoption of aspects - testing aspects: a risk model, fault model and patterns. In: Proceedings of the 8th ACM International Conference on Aspect-oriented Software Development, AOSD 2009, pp. 197–206. ACM (2009)Google Scholar
  8. 8.
    Lund, M.S., Solhaug, B., Stølen, K.: Model Driven Risk Analysis - The CORAS Approach. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    MITRE.: Common Attack Pattern Enumeration and Classification (CAPEC) (2015). (Accessed 30 March 2015)
  10. 10.
    MITRE.: Common Weakness Enumeration (CWE) (2015). (Accessed 14 April 2015)
  11. 11.
    MITRE.: Common Weakness Risk Analysis Framework (CWRAF) (2015). (Accessed 30 March 2015)
  12. 12.
    Murthy, K.K., Thakkar, K.R., Laxminarayan, S.: Leveraging risk based testing in enterprise systems security validation. In: Proceedings of the First International Conference on Emerging Network Intelligence, pp. 111–116. IEEE Computer Society (2009)Google Scholar
  13. 13.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, NSPW 1998, pp. 71–79. ACM, New York (1998)Google Scholar
  14. 14.
    Seehusen, F.: A technique for risk-based test procedure identification, prioritization and selection. In: Margaria, T., Steffen, B. (eds.) ISoLA 2014, Part II. LNCS, vol. 8803, pp. 277–291. Springer, Heidelberg (2014) Google Scholar
  15. 15.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, pp. 273–284. IEEE Computer Society, Washington (2002)Google Scholar
  16. 16.
    Zech, P., Felderer, M., Breu, R.: Towards a model based security testing approach of cloud computing environments. In: 2012 IEEE Sixth International Conference on Software Security and Reliability Companion (SERE-C), pp. 47–56. IEEE (2012)Google Scholar
  17. 17.
    Zech, P., Felderer, M., Breu, R.: Towards risk - driven security testing of service centric systems. In: QSIC, pp. 140–143. IEEE (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department for Networked Systems and ServicesSINTEF ICTOsloNorway

Personalised recommendations