Model-Based Security Testing

Security testing aims at validating software system requirements related to security properties like confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Although security testing techniques are available for many years, there has been little approaches that allow for specification of test cases at a higher level of abstraction, for enabling guidance on test identification and specification as well as for automated test generation. Model-based security testing (MBST) is a relatively new field and especially dedicated to the systematic and efficient specification and documentation of security test objectives, security test cases and test suites, as well as to their automated or semi-automated generation. In particular, the combination of security modelling and test generation approaches is still a challenge in research and of high interest for industrial applications. MBST includes e.g. security functional testing, model-based fuzzing, risk- and threat-oriented testing, and the usage of security test patterns. This paper provides a survey on MBST techniques and the related models as well as samples of new methods and tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582

APPLICATION SECURITY TESTING

This report describes the work that was done throughout the internship at VOID software to finish the Master’s degree in Cybersecurity and Digital Forensics. During this internship two main projects were implemented: the first one had to do with the development of a new Graphical User Interface for the Wazuh system and the modification of its architecture by replacing the components that belong to the Elastic stack; the second one was related to setting up the Wazuh system within the VOID headquarters to monitor some of the servers which are used for the projects in development. The main goals of these projects were to learn about the Wazuh system, develop a Graphical User Interface for this system and to setup and use the Wazuh system to monitor hosts that belong to the organisation. By the end of this internship a Graphical User Interface (GUI) was developed and the Wazuh system was deployed and is currently working within the VOID organisation

Security Testing: A Survey

Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application

Tietoturvatestaaminen jatkuvan integraation prosesseissa

Modern software development processes in which changes can be deployed to production multiple times a day present a challenge from the software security point of view. In this work we explore the possibility of using existing software security testing methods and tools in continuous integration to achieve a basic level of continuous security testing. We review existing software security testing methods and tools to determine their applicability to continuous security testing. In four case studies we made selected security testing tools a part of real life software development projects' continuous integration systems and development processes. We found that continuous security testing is feasible using current security testing methods and tools. Multiple different, complementary approaches to implementing it are available depending on the level of expendable effort and security expertise at hand. Dependency verification is in most cases the best starting point for implementing continuous security testing. Good dependency verification tools, which require minimal effort and security testing expertise from the user, are available for most major programming languages.Modernit ohjelmistokehitysprosessit, joissa muutoksia voidaan viedä tuotantoon useita kertoja päivässä, ovat haastavia kehitetyn ohjelmiston tietoturvan varmistamisen kannalta. Tässä työssä tutkimme, miten olemassa olevia tietoturvatestausmetodeja ja -työkaluja voitaisiin käyttää jatkuvan integraation järjestelmissä perustason jatkuvan tietoturvatestauksen saavuttamiseksi. Käymme läpi olemassa olevia tietoturvatestausmetodeja ja -työkaluja määrittääksemme niiden soveltuvuuden jatkuvaan tietoturvatestaukseen. Testaamme myös valikoitujen tietoturvatestaustyökalujen lisäämistä neljän ohjelmistokehitysprojektin jatkuvan integraation järjestelmiin ja ohjelmistokehitysprosesseihin. Havaitsemme, että joidenkin osa-alueiden jatkuva tietoturvatestaus on mahdollista olemassa olevien tietoturvatestausmenetelmien ja -työkalujen avulla. Tarjolla on monta erilaista, toisiaan täydentävää lähestymistapaa, joista kukin vaatii eri määrän työpanosta ja tietoturvaosaamista. Havaintojemme perusteella useimmissa tapauksissa paras tapa aloittaa jatkuva tietoturvatestaaminen on kehitettävän ohjelmiston riippuvuuksien verifiointi. Siihen tarkoitettujen tietoturvatestaustyökalujen saatavuus eri ohjelmointikielille on hyvä, ja niiden käyttöönotto vaatii hyvin vähän työpanosta ja tietoturvaosaamista

Automation vulnerability disclosure using concolic testing and machine learning

Security testing is important stage of software development life cycle. However, security testing requires considerable time from highly skilled security experts. The aim of the article is to describe techniques for reducing the number of false positives and false negatives in the automation vulnerability disclosure process. This paper is about an approach for software vulnerabilities discovery using concolic testing and machine learning techniques. Machine learning techniques are used to reduce the number of execution paths during concolic testing. This approach can be used to automate security testing. In this paper, security test cases and traces of previous version of software and similar software are used for training dataset for our models. This scheme of automation vulnerability disclosure will be used to build automation security testing system of software

Analysis of Different Software Security Testing Techniques, Benefits, Challenges and Life Cycle

Security testing is the software testing technique which makes sure that the system or application software which is developed is free from security threats and cannot be hacked by the hacker. Once an application or software us developed, once the final product is tested for all its functions, components etc it is also important to test for its privacy and security. If the system is not secure enough, then it can easily be attacked and hacked and all the sensitive data and information will be exploited by the hacker and use them in their favour. There are variety of security testing which will be discussed in this paper. The security testing has few requirements like testing the integrity, confidentiality, authorisation, availability etc. The security elements of the system depend upon the security features being implemented in the system so the testing process will also be different for each system. The various techniques and approaches can be explained by Security taxonomy. The paper will discuss elements of security testing, methodologies, pros and cons of security testing, etc

Analysis of Security Vulnerabilities in Web Applications using Threat Modeling

Software security issues have been a major concern to the cyberspace community; therefore, a great deal of research on security testing has been performed, and various security testing techniques have been developed. A security process that is integrated into the application development cycle is required for creating a secure system. A part of this process is to create a threat profile for an application. The present project explains this process as a case study for analyzing a web application using Threat Modeling. This analysis can be used in the security testing approach that derives test cases from design level artifacts