Evaluation of the CORAL Approach for Risk-driven Security Testing based on an Industrial Case Study

Gencer Erdogan, Ketil Stølen, Jan Øyvind Aagedal

Abstract

The CORAL approach is a model-based method to security testing employing risk assessment to help security testers select and design test cases based on the available risk picture. In this paper we present experiences from using CORAL in an industrial case. The results indicate that CORAL supports security testers in producing risk models that are valid and threat scenarios that are directly testable. This, in turn, helps testers to select and design test cases according to the most severe security risks posed on the system under test.

References

  1. Botella, J., Legeard, B., Peureux, F., and Vernotte, A. (2014). Risk-Based Vulnerability Testing Using Security Test Patterns. In Proc. 6th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (ISoLA'14), pages 337- 352. Springer.
  2. Dias Neto, A., Subramanyan, R., Vieira, M., and Travassos, G. (2007). A Survey on Model-based Testing Approaches: A Systematic Review. In Proc. 1st ACM International Workshop on Empirical Assessment of Software Engineering Languages and Technologies (WEASELTech'07), pages 31-36. ACM.
  3. Erdogan, G., Li, Y., Runde, R., Seehusen, F., and Stølen, K. (2014a). Approaches for the Combined Use of Risk Analysis and Testing: A Systematic Literature Review. International Journal on Software Tools for Technology Transfer, 16(5):627-642.
  4. Erdogan, G., Refsdal, A., and Stølen, K. (2014b). A Systematic Method for Risk-driven Test Case Design Using Annotated Sequence Diagrams. In Proc. 1st International Workshop on Risk Assessment and Riskdriven Testing (RISK'13), pages 93-108. Springer.
  5. Erdogan, G., Stølen, K., and Aagedal, J. (2015). Evaluation of the CORAL Approach for Risk-Driven Security Testing Based on an Industrial Case Study. Technical Report A27097, SINTEF Information and Communication Technology.
  6. FindBugs (2015). Find Security Bugs V1.2.1. http://h3xstream.github.io/find-sec-bugs/. Accessed April 30, 2015.
  7. Großmann, J., Schneider, M., Viehmann, J., and Wendland, M.-F. (2014). Combining Risk Analysis and Security Testing. In Proc. 6th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (ISoLA'14), pages 322-336. Springer.
  8. LapsePlus (2015). Lapse Plus Console V2.8.1. https://code.google.com/p/lapse-plus/. Accessed April 30, 2015.
  9. Lund, M., Solhaug, B., and Stølen, K. (2011). ModelDriven Risk Analysis: The CORAS Approach. Springer.
  10. OMG (2011). Unified Modeling Language (UML), superstructure, version 2.4.1. Object Management Group. OMG Document Number: formal/2011-08-06.
  11. OMG (2013). UML Testing Profile (UTP), version 1.2. Object Management Group. OMG Document Number: formal/2013-04-03.
  12. OWASP (2015). Open Web Application Security Project. https://www.owasp.org/index.php/Main Page. Accessed April 30, 2015.
  13. Seehusen, F. (2014). A Technique for Risk-Based Test Procedure Identification, Prioritization and Selection. In Proc. 6th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (ISoLA'14), pages 277-291. Springer.
  14. VCG (2015). Visual Code Grepper V2.0.0. http://sourceforge.net/projects/visualcodegrepp/. Accessed April 30, 2015.
  15. Wendland, M.-F., Kranz, M., and Schieferdecker, I. (2012). A systematic approach to risk-based testing using risk-annotated requirements models. In Proc. 7th International Conference on Software Engineering Advances (ICSEA'12), pages 636-642. IARA.
  16. Zech, P., Felderer, M., and Breu, R. (2012). Towards a Model Based Security Testing Approach of Cloud Computing Environments. In Proc. 6th International Conference on Software Security and Reliability Companion (SERE-C'12), pages 47-56. IEEE Computer Society.
Download


Paper Citation


in Harvard Style

Erdogan G., Stølen K. and Aagedal J. (2016). Evaluation of the CORAL Approach for Risk-driven Security Testing based on an Industrial Case Study . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 219-226. DOI: 10.5220/0005650902190226


in Bibtex Style

@conference{icissp16,
author={Gencer Erdogan and Ketil Stølen and Jan Øyvind Aagedal},
title={Evaluation of the CORAL Approach for Risk-driven Security Testing based on an Industrial Case Study},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={219-226},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005650902190226},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Evaluation of the CORAL Approach for Risk-driven Security Testing based on an Industrial Case Study
SN - 978-989-758-167-0
AU - Erdogan G.
AU - Stølen K.
AU - Aagedal J.
PY - 2016
SP - 219
EP - 226
DO - 10.5220/0005650902190226