Skip to main content
SpringerLink
Log in

Combining Risk Analysis and Security Testing

  • Conference paper
Leveraging Applications of Formal Methods, Verification and Validation. Specialized Techniques and Applications (ISoLA 2014)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8803))

Abstract

A systematic integration of risk analysis and security testing allows for optimizing the test process as well as the risk assessment itself. The result of the risk assessment, i.e. the identified vulnerabilities, threat scenarios and unwanted incidents, can be used to guide the test identification and may complement requirements engineering results with systematic information concerning the threats and vulnerabilities of a system and their probabilities and consequences. This information can be used to weight threat scenarios and thus help identifying the ones that need to be treated and tested more carefully. On the other side, risk-based testing approaches can help to optimize the risk assessment itself by gaining empirical knowledge on the existence of vulnerabilities, the applicability and consequences of threat scenarios and the quality of countermeasures. This paper outlines a tool-based approach for risk-based security testing that combines the notion of risk-assessment with a pattern-based approach for automatic test generation relying on test directives and strategies and shows how results from the testing are systematically fed back into the risk assessment.

The research leading to these results has also received funding from the European Union’s Seventh Framework Programme (FP7/2007-2013) under grant agreements no 316853 and no 318786.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. International Organization for Standardization: ISO 31000 Risk management – Principles and guidelines (2009)

    Google Scholar 

  2. International Organization for Standardization: ISO Guide 73 Risk management – Vocabulary (2009)

    Google Scholar 

  3. Bouti, A., Kadi, D.A.: A state-of-the-art review of FMEA/FMECA. International Journal of Reliability, Quality and Safety Engineering 1, 515–543 (1994)

    Article  Google Scholar 

  4. International Electrotechnical Commission: IEC 61025 Fault Tree Analysis (FTA) (1990)

    Google Scholar 

  5. International Electrotechnical Commission: IEC 60300-3-9 Dependability management – Part 3: Application guide – Section 9: Risk analysis of technological systems – Event Tree Analysis (ETA) (1995)

    Google Scholar 

  6. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis – The CORAS Approach. Springer (2011)

    Google Scholar 

  7. Lund, M.S., Solhaug, B., Stølen, K.: Evolution in relation to risk and trust management. Computer 43(5), 49–55 (2010)

    Article  Google Scholar 

  8. Kaiser, B., Liggesmeyer, P., Mäckel, O.: A new component concept for fault trees. In: 8th Australian Workshop on Safety Critical Systems and Software (SCS 2003), pp. 37–46. Australian Computer Society (2003)

    Google Scholar 

  9. Papadoupoulos, Y., McDermid, J., Sasse, R., Heiner, G.: Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure. Reliability Engineering and System Safety 71(3), 229–247 (2001)

    Article  Google Scholar 

  10. Erdogan, G., Li, Y., Runde, R.K., Seehusen, F., Stølen, K.: Conceptual Framework for the DIAMONDS Project. Oslo (May 2012)

    Google Scholar 

  11. Erdogan, G., Seehusen, F., Stølen, K., Aagedal, J.: Assessing the usefulness of testing for validating the correctness of security risk models based on an industrial case study. In: Proc. Workshop on Quantitative Aspects in Security Assurance (QASA 2012), Pisa (2012)

    Google Scholar 

  12. Benet, A.F.: A risk driven approach to testing medical device software. In: Advances in Systems Safety, pp. 157–168. Springer (2011)

    Google Scholar 

  13. Kloos, J., Hussain, T., Eschbach, R.: Risk-based testing of safety-critical embedded systems driven by fault tree analysis. In: Software Testing, Verification and Validation Workshops (ICSTW 2011), pp. 26–33. IEEE (2011)

    Google Scholar 

  14. Viehmann, J.: Reusing Risk Analysis Results - An Extension for the CORAS Risk Analysis Method. In: 4th IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT 2012), Amsterdam, pp. 742–751. IEEE (2012)

    Google Scholar 

  15. Bach, G.J.: Heuristic Risk-Based Testing. Software Testing and Quality Engineering Magazine, 96–98 (November 1999)

    Google Scholar 

  16. Stallbaum, H., Metzger, A.: Employing Requirements Metrics for Automating Early Risk Assessment. In: Proceedings of the Workshop on Measuring Requirements for Project and Product Success, MeReP 2007, at Intl. Conference on Software Process and Product Measurement, Spain, pp. 1–12 (2007)

    Google Scholar 

  17. Stallbaum, H., Metzger, A., Pohl, K.: An Automated Technique for Risk-based Test Case Generation and Prioritization. In: Proceedings of 3rd Workshop on Automation of Software Test, AST 2008, Germany, pp. 67–70 (2008)

    Google Scholar 

  18. Bauer, T., et al.: From Requirements to Statistical Testing of Embedded Systems. In: Software Engineering for Automotive Systems (ICSE), pp. 3–10 (2007)

    Google Scholar 

  19. Zimmermann, F., Eschbach, R., Kloos, J., Bauer, T.: Risk-based Statistical Testing: A Refinement-based Approach to the Reliability Analysis of Safety-Critical Systems. In: Proceedings of the 12th European Workshop on Dependable Computing (EWDC), France (2009)

    Google Scholar 

  20. Chen, Y., Probert, R., Sims, P.: Specification-based Regression Test Selection with Risk Analysis. In: Proceedings of the 2002 conference of the Centre for Advanced Studies on Collaborative research (CASCON 2002), p. 1 (2002)

    Google Scholar 

  21. Object Management Group (OMG): UML Testing Profile, http://www.omg.org/spec/UTP

  22. Utting, M., Legeard, B.: Practical Model-based testing – A Tools Approach. Elsevier (2007)

    Google Scholar 

  23. Smith, B.: Security Test Patterns (2008), http://www.securitytestpatterns.org/doku.php

  24. Vouffo Feudjio, A.-G.: Initial security test patterns catalogue. DIAMONDS project deliverable D3.WP4.T1

    Google Scholar 

  25. MITRE: Common Attack Pattern Enumeration and Classification (2014), http://capec.mitre.org

  26. MITRE: Common Weakness Enumeration (2014), http://cwe.mitre.org

  27. International Organization for Standardization: ISO/IEC 29119-1 Systems and software engineering—Software testing—Part 1: Concepts and definitions (2013)

    Google Scholar 

  28. Felderer, M., Haisjackl, C., Breu, R., Motz, J.: Integrating manual and automatic risk assessment for risk-based testing. In: Biffl, S., Winkler, D., Bergsmann, J. (eds.) SWQD 2012. LNBIP, vol. 94, pp. 159–180. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  29. Zech, P., et al.: Towards a model based security testing approach of cloud computing environments. In: 2012 IEEE Sixth International Conference on Software Security and Reliability Companion (SERE-C). IEEE (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer FOKUS, Kaiserin-Augusta-Allee 31, D-10589, Berlin, Germany

    Jürgen Großmann, Martin Schneider, Johannes Viehmann & Marc-Florian Wendland

Authors
  1. Jürgen Großmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Johannes Viehmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marc-Florian Wendland
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Limerick, Ireland

    Tiziana Margaria

  2. TU Dortmund, Germany

    Bernhard Steffen

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Großmann, J., Schneider, M., Viehmann, J., Wendland, MF. (2014). Combining Risk Analysis and Security Testing. In: Margaria, T., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification and Validation. Specialized Techniques and Applications. ISoLA 2014. Lecture Notes in Computer Science, vol 8803. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45231-8_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-45231-8_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-45230-1

  • Online ISBN: 978-3-662-45231-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation