Abstract
This paper introduces and reports on an original tooled risk-driven security testing process called Pattern-driven and Model-based Vulnerability Testing. This fully automated testing process, drawing on risk-driven strategies and Model-Based Testing (MBT) techniques, aims to improve the capability of detection of various Web application vulnerabilities, in particular SQL injections, Cross-Site Scripting, and Cross-Site Request Forgery. It is based on a mixed modeling of the system under test: an MBT model captures the behavioral aspects of the Web application, while formalized vulnerability test patterns, selected from risk assessment results, drive the overall test generation process. An empirical evaluation, conducted on a complex and freely-accessible eHealth system developed by Info World, shows that this novel process is appropriate for automatically generating and executing risk-driven vulnerability test cases and is promising to be deployed for large-scale Web applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hong, J., Linden, G.: Protecting against data breaches; living with mistakes. Commun. ACM 55(6), 10–11 (2012)
Oladimeji, E.A., Chung, L., Jung, H.T., Kim, J.: Managing security and privacy in ubiquitous ehealth information interchange. In: Ubiquitous Information Management and Communication, pp. 1–10. ACM, New York (2011)
EU: GDP Regulation Draft (2012). http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. Accessed April 2015
Utting, M., Legeard, B.: Practical Model-Based Testing - A tools approach. Morgan Kaufmann, San Francisco (2006)
Dias-Neto, A., Travassos, G.: A Picture from the model-based testing area: concepts, techniques, and challenges. In: Advances in Computers, vol. 80, pp. 45–120, July 2010. ISSN: 0065–2458
Wichers, D.: Open web application security project (2013). https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. Accessed April 2015
MITRE: Common weakness enumeration, October 2013. http://cwe.mitre.org/. Accessed April 2015
Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)
Bach, J.: Risk and requirements-based testing. Computer 32(6), 113–114 (1999). IEEE Press
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. 1st edn. Springer Publishing Company, Incorporated (2010)
Bouquet, F., Grandpierre, C., Legeard, B., Peureux, F.: A test generation solution to automate software testing. In: Proceedings of the 3rd International Workshop on Automation of Software Test (AST 2008), Leipzig, Germany, pp. 45–48. ACM Press, May 2008
Fraunhofer FOKUS: Fuzzing library Fuzzino on Github (2013). https://github.com/fraunhoferfokus/Fuzzino. Accessed April 2015
Botella, J., Legeard, B., Peureux, F., Vernotte, A.: Risk-based vulnerability testing using security test patterns. In: Margaria, T., Steffen, B. (eds.) ISoLA 2014, Part II. LNCS, vol. 8803, pp. 337–352. Springer, Heidelberg (2014)
Vouffo Feudjio, A.G.: Initial Security Test Pattern Catalog. Public Deliverable D3.WP4.T1, Diamonds Project, Berlin, Germany, June 2012. http://publica.fraunhofer.de/documents/N-212439.html. Accessed February 2014
Andrikopoulos, P.K., Belsis, P.: Towards effective organization of medical data. In: Proceedings of the 17th Panhellenic Conference on Informatics (PCI 2013), Thessaloniki, Greece, pp. 305–310. ACM (2013)
Eichelberg, M., Aden, T., Riesmeier, J., Dogac, A., Laleci, G.B.: A survey and analysis of electronic healthcare record standards. ACM Comput. Surv. 37(4), 277–315 (2005)
Werner, F.: RASEN Deliverable D2.1.1 - Use Case Scenarios Definition, October 2013. http://www.rasenproject.eu/downloads/723/. Accessed April 2015
IHE International: HIE security and privacy through IHE profiles. White paper, IHE IT Infrastructure, August 2008. http://www.ihe.net/Technical_Framework/upload/IHE_ITI_Whitepaper_Security_and_Privacy_of_HIE_2008-08-22-2.pdf. Accessed March 2015
Vernotte, A., Dadeau, F., Lebeau, F., Legeard, B., Peureux, F., Piat, F.: Efficient detection of multi-step cross-site scripting vulnerabilities. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 358–377. Springer, Heidelberg (2014)
Doupé, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the state: a state-aware black-box web vulnerability scanner. In: Proceedings of the 21st USENIX Conference on Security Symposium (Security 2012), Bellevue, WA, USA, pp. 523–537. USENIX Association, August 2012
Acknowledgement
This work is supported by the European FP7 project RASEN, which aims to provide risk-driven security testing techniques for large-scale networked systems.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Vernotte, A., Botea, C., Legeard, B., Molnar, A., Peureux, F. (2015). Risk-Driven Vulnerability Testing: Results from eHealth Experiments Using Patterns and Model-Based Approach. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2015. Lecture Notes in Computer Science(), vol 9488. Springer, Cham. https://doi.org/10.1007/978-3-319-26416-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-26416-5_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26415-8
Online ISBN: 978-3-319-26416-5
eBook Packages: Computer ScienceComputer Science (R0)