Ontology-based Dynamic and Context-aware Security Assessment Automation for Critical Applications

Several assessment techniques and methodologies exist to analyze the security of an application dynamically. However, they either are focused on a particular product or are mainly concerned about the assessment process rather than the product's security confidence. Most crucially, they tend to assess the security of a target application as a standalone artifact without assessing its host infrastructure. Such attempts can undervalue the overall security posture since the infrastructure becomes crucial when it hosts a critical application. We present an ontology-based security model that aims to provide the necessary knowledge, including network settings, application configurations, testing techniques and tools, and security metrics to evaluate the security aptitude of a critical application in the context of its hosting infrastructure. The objective is to integrate the current good practices and standards in security testing and virtualization to furnish an on-demand and test-ready virtual target infrastructure to execute the critical application and to initiate a context-aware and quantifiable security assessment process in an automated manner. Furthermore, we present a security assessment architecture to reflect on how the ontology can be integrated into a standard process.

[1]  Vinod Yegneswaran,et al.  DELTA: A Security Assessment Framework for Software-Defined Networks , 2017, NDSS.

[2]  Ruth Breu,et al.  Model‐based security testing: a taxonomy and systematic classification , 2016, Softw. Test. Verification Reliab..

[3]  Hye-Jin Kim,et al.  Techniques for Automated Test Cases Generation: A Review , 2016 .

[4]  Lionel C. Briand,et al.  MCP: A Security Testing Tool Driven by Requirements , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).

[5]  Scott Donaldson,et al.  A methodology for testing virtualisation security , 2017, 2017 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[6]  Annibale Panichella,et al.  A Machine-Learning-Driven Evolutionary Approach for Testing Web Application Firewalls , 2018, IEEE Transactions on Reliability.

[7]  Chunhui Wang,et al.  Automated Generation of Constraints from Use Case Specifications to Support System Testing , 2018, 2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST).