Abstract
We present a method for risk-based security testing that takes a set of CAPEC attack patterns as input and produces a risk model which can be used for security test identification and prioritization. Since parts of the method can be automated, we believe that the method will speed up the process of constructing a risk model significantly. We also argue that the constructed risk model is suitable for security test identification and prioritization.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
ISO 31000:2009(E): Risk management - Principles and guidelines (2009)
ISO/IEEE 29119: Software and system engineering - software testing-Part 1–4 (2012)
Alam, M.M., Khan, A.I.: Risk-based testing techniques: a perspective study. Int. J. Comput. Appl. 65(1), 42–49 (2013)
Casado, R., Tuya, J., Younas, M.: Testing long-lived web services transactions using a risk-based approach. In: Proceedings of 10th International Conference on Quality Software (QSIC), pp. 337–340. IEEE Computer Society (2010)
Erdogan, G., Li, Y., Runde, R.K., Seehusen, F., Stølen, K.: Approaches for the combined use of risk analysis and testing: a systematic literature review. STTT 16(5), 627–642 (2014)
Gleirscher, M.: Hazard-based selection of test cases. In: Proceedings of the 6th International Workshop on Automation of Software Test, pp. 64–70. ACM (2011)
Kumar, N., Sosale, D., Konuganti, S.N., Rathi, A.: Enabling the adoption of aspects - testing aspects: a risk model, fault model and patterns. In: Proceedings of the 8th ACM International Conference on Aspect-oriented Software Development, AOSD 2009, pp. 197–206. ACM (2009)
Lund, M.S., Solhaug, B., Stølen, K.: Model Driven Risk Analysis - The CORAS Approach. Springer, Heidelberg (2011)
MITRE.: Common Attack Pattern Enumeration and Classification (CAPEC) (2015). https://capec.mitre.org (Accessed 30 March 2015)
MITRE.: Common Weakness Enumeration (CWE) (2015). https://cwe.mitre.org (Accessed 14 April 2015)
MITRE.: Common Weakness Risk Analysis Framework (CWRAF) (2015). https://cwe.mitre.org/cwraf/ (Accessed 30 March 2015)
Murthy, K.K., Thakkar, K.R., Laxminarayan, S.: Leveraging risk based testing in enterprise systems security validation. In: Proceedings of the First International Conference on Emerging Network Intelligence, pp. 111–116. IEEE Computer Society (2009)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, NSPW 1998, pp. 71–79. ACM, New York (1998)
Seehusen, F.: A technique for risk-based test procedure identification, prioritization and selection. In: Margaria, T., Steffen, B. (eds.) ISoLA 2014, Part II. LNCS, vol. 8803, pp. 277–291. Springer, Heidelberg (2014)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, pp. 273–284. IEEE Computer Society, Washington (2002)
Zech, P., Felderer, M., Breu, R.: Towards a model based security testing approach of cloud computing environments. In: 2012 IEEE Sixth International Conference on Software Security and Reliability Companion (SERE-C), pp. 47–56. IEEE (2012)
Zech, P., Felderer, M., Breu, R.: Towards risk - driven security testing of service centric systems. In: QSIC, pp. 140–143. IEEE (2012)
Acknowledgments
This work has been conducted as a part of EU project RASEN (316853) funded by the European Commission within the 7th Framework Program.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Seehusen, F. (2015). Using CAPEC for Risk-Based Security Testing. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2015. Lecture Notes in Computer Science(), vol 9488. Springer, Cham. https://doi.org/10.1007/978-3-319-26416-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-26416-5_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26415-8
Online ISBN: 978-3-319-26416-5
eBook Packages: Computer ScienceComputer Science (R0)