Chapter One - Security Testing: A Survey
Introduction
Modern IT systems based on concepts like cloud computing, location-based services, or social networking are permanently connected to other systems and handle sensitive data. These interconnected systems are subject to security attacks that may result in security incidents with high severity affecting the technical infrastructure or its environment. Exploited security vulnerabilities can cause drastic costs, eg, due to downtimes or the modification of data. A high proportion of all software security incidents is caused by attackers who exploit known vulnerabilities [1]. An important, effective, and widely applied measure to improve the security of software are security testing techniques which identify vulnerabilities and ensure security functionality.
Software testing is concerned with evaluation of software products and related artifacts to determine that they satisfy specified requirements, to demonstrate that they are fit for purpose and to detect defects. Security testing verifies and validates software system requirements related to security properties like confidentiality, integrity, availability, authentication, authorization, and nonrepudiation. Sometimes security properties come as classical functional requirements, eg, “user accounts are disabled after three unsuccessful login attempts” which approximates one part of an authorization property and is aligned with the software quality standard ISO/IEC 9126 [2] defining security as functional quality characteristic. However, it seems desirable that security testing directly targets the above security properties, as opposed to taking the detour of functional tests of security mechanisms. This view is supported by the ISO/IEC 25010 [3] standard that revises ISO/IEC 9126 and introduces Security as a new quality characteristic which is not included in the characteristic functionality any more.
Web application security vulnerabilities such as Cross-Site Scripting or SQL Injection, which can adequately be addressed by security testing techniques, are acknowledged problems [4] with thousands of vulnerabilities reported each year [5]. Furthermore, surveys as published by the National Institute of Standards and Technology [6] show high cost of insecure software due to inadequate testing even on an economic level. Therefore, support for security testing, which is still often considered as a “black art,” is essential to increase its effectiveness and efficiency in practice. This chapter intends to contribute to the growing need for information on security testing techniques by providing an overview of actual security testing techniques. This is of high value both for researchers to evaluate and refine existing techniques and practitioners to apply and disseminate them. In this chapter, security testing techniques are classified (and also the discussion thereof) according to their test basis within the secure software development life cycle into four different types: (1) model-based security testing is grounded on requirements and design models created during the analysis and design phase, (2) code-based testing and static analysis on source and byte code created during development, (3) penetration testing and dynamic analysis on running systems, either in a test or production environment, as well as (4) security regression testing performed during maintenance.
This chapter provides a comprehensive survey on security testing and is structured as follows. Section 2 provides an overview of the underlying concepts on software testing. Section 3 discusses the basic concepts of security engineering and the secure software development life cycle. Section 4 provides an overview of security testing and its integration in the secure software development life cycle. Section 5 discusses the security testing techniques model-based security testing, code-based testing and static analysis, penetration testing, and dynamic analysis as well as security regression testing in detail. Section 6 discusses the application of security testing techniques to three tiered business applications. Finally, Section 7 summarizes this chapter.
Section snippets
Software Testing
According to the classic definition in software engineering [7], software testing consists of the dynamic verification that a program provides expected behaviors on a finite set of test cases, a so called test suite, suitably selected from the usually infinite execution domain. This dynamic notion of testing, so called dynamic testing, evaluates software by observing its execution [8]. The executed system is called system under test (SUT). More general notions of testing [9] consist of all life
Security Engineering
In this section, we cover basic concepts of security engineering as well as an overview of the secure software development life cycle.
Security Testing
In this section, we cover basic concepts of security testing and the integration of security testing in the secure software development life cycle.
Security Testing Techniques
This section discusses the security testing techniques model-based testing, code-based testing and static analysis, penetration testing and dynamic analysis as well as regression testing in detail. For each testing technique, basic concepts as well as current approaches are covered.
Application of Security Testing Techniques
In this section, we make a concrete proposal on how to apply the security test techniques (and the tools implementing them) to a small case study: a business application using a three tiered architecture. We focus on security testing techniques that detect the most common vulnerability types that were disclosed in the Common Vulnerabilities and Exposures (CVE) index [5] over the period of the last 15 years (see Fig. 6). This clearly shows that the vast majority of vulnerabilities, such as XSS,
Summary
In this chapter, we provided an overview of recent security testing techniques and their practical application in context of a three-tiered business application. For this purpose, we first summarized the required background on software testing and security engineering. Testing consists of static and dynamic life cycle activities concerned with evaluation of software products and related artifacts. It can be performed on the component, integration, and system level. With regard to accessibility
Acknowledgments
The work was supported in part by the research projects QE LaB—Living Models for Open Systems (FFG 822740) and MOBSTECO (FWF P 26194-N15).
Michael Felderer is a senior researcher and project manager within the Quality Engineering research group at the Institute of Computer Science at the University of Innsbruck, Austria. He holds a Ph.D. and a habilitation in computer science. His research interests include software and security testing, empirical software and security engineering, model engineering, risk management, software processes, and industry-academia collaboration. Michael Felderer has coauthored more than 70 journal,
References (145)
- et al.
A picture from the model-based testing area: concepts, techniques, and challenges
Adv. Comput.
(2010) - et al.
A systematic classification of security regression testing approaches
Int. J. Softw. Tools Technol. Transf.
(2015) - et al.
A history-based cost-cognizant test case prioritization technique in regression testing
J. Syst. Softw.
(2012) - et al.
Fault-based test suite prioritization for specification-based testing
Inf. Softw. Technol.
(2012) - et al.
Model-based security testing
ISO/IEC 9126-1:2001 software engineering—product quality—Part 1: quality model
(2001)ISO/IEC 25010:2011 systems and software engineering—systems and software quality requirements and evaluation (SQuaRE)—system and software quality models
(2011)- et al.
State of the art: automated black-box web application vulnerability testing
- MITRE, Common vulnerabilities and exposures,...
The economic impacts of inadequate infrastructure for software testing
(2002)
Introduction to Software Testing
Standard glossary of terms used in software testing
Research on software security testing
World Acad. Sci. Eng. Technol.
Developing secure software: a holistic approach to security testing
Datenschutz und Datensicherheit (DuD)
Information technology—open systems interconnection—conformance testing methodology and framework
Practical Model-Based Testing: A Tools Approach
Model-Based Testing for Embedded Systems
IEEE standard glossary of software engineering terminology
ISO/IEC/IEEE 29119 software testing
IEEE standard for software and system test documentation
Model-based testing
IEEE Softw.
National Information Assurance Glossary
Tech. Rep.
Software penetration testing
IEEE Secur. Priv.
Software security testing
IEEE Secur. Priv.
The open source security testing methodology manual 3
Model-Driven Risk Analysis
Risk analysis in software design
IEEE Secur. Priv.
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software
Software security testing
IEEE Secur. Priv.
Automatic testing of program security vulnerabilities
Why security testing is hard
IEEE Secur. Priv.
A taxonomy of model-based testing approaches
Softw. Test. Verif. Reliab.
Model-based quality assurance of protocol documentation: tools and methodology
Softw. Test. Verif. Reliab.
Defect-based testing
Software unit test coverage and adequacy
ACM Comput. Surv.
A theory of fault-based testing
IEEE Trans. Softw. Eng.
A generic fault model for quality assurance
A classification for model-based security testing
Model-based security testing
Semi-automatic security testing of web applications from a secure model
A model-based framework for security policy specification, deployment and testing
Risk-Based e-Business Testing
A taxonomy of risk-based testing
Int. J. Softw. Tools Technol. Transf.
A systematic approach to risk-based testing using risk-annotated requirements models
Combining risk analysis and security testing
Risk-based vulnerability testing using security test patterns
Cited by (137)
Secure software development and testing: A model-based methodology
2024, Computers and SecuritySmartDelta project: Automated quality assurance and optimization across product versions and variants
2023, Microprocessors and MicrosystemsThe anatomy of a vulnerability database: A systematic mapping study
2023, Journal of Systems and SoftwareSystematic threat assessment and security testing of automotive over-the-air (OTA) updates
2022, Vehicular CommunicationsA Method for Threat Modelling of Industrial Control Systems
2024, Springer Proceedings in Complexity
Michael Felderer is a senior researcher and project manager within the Quality Engineering research group at the Institute of Computer Science at the University of Innsbruck, Austria. He holds a Ph.D. and a habilitation in computer science. His research interests include software and security testing, empirical software and security engineering, model engineering, risk management, software processes, and industry-academia collaboration. Michael Felderer has coauthored more than 70 journal, conference, and workshop papers. He works in close cooperation with industry and also transfers his research results into practice as a consultant and speaker on industrial conferences.
Matthias Büchler is a Ph.D. student at the Technische Universität München. He holds a master's degree in computer science (Information Security) from the Swiss Federal Institute of Technology Zurich (ETHZ). His research interests include information security, security modeling, security engineering, security testing, domain specific languages, and usage control.
Martin Johns is a research expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau.
Achim D. Brucker is a research expert (architect), security testing strategist, and project lead in the Security Enablement Team of SAP SE. He received his master's degree in computer science from University Freiburg, Germany and his Ph.D. from ETH Zurich, Switzerland. He is responsible for the Security Testing Strategy at SAP. His research interests include information security, software engineering, security engineering, and formal methods. In particular, he is interested in tools and methods for modeling, building, and validating secure and reliable systems. He also participates in the OCL standardization process of the OMG.
Ruth Breu is head of the Institute of Computer Science at the University of Innsbruck, leading the research group Quality Engineering and the competence center QE LaB. She has longstanding experience in the areas of security engineering, requirements engineering, enterprise architecture management and model engineering, both with academic and industrial background. Ruth is coauthor of three monographs and more than 150 scientific publications and serves the scientific community in a variety of functions (eg Board Member of FWF, the Austrian Science Fund, Member of the NIS Platform of the European Commission).
Alexander Pretschner holds the chair of Software Engineering at Technische Universität München. Research interests include software quality, testing, and information security. Master's degrees in computer science from RWTH Aachen and the University of Kansas and Ph.D. degree from Technische Universität München. Prior appointments include a full professorship at Karlsruhe Institute of Technology, an adjunct associate professorship at Kaiserslautern University of Technology, a group manager's position at the Fraunhofer Institute of Experimental Software Engineering in Kaiserslautern, a senior scientist's position at ETH Zurich, and visiting professorships at the Universities of Rennes, Trento, and Innsbruck.