An Evaluation of a Test-Driven Security Risk Analysis Approach Based on Two Industrial Case Studies

Risk-driven testing and test-driven risk assessment are two strongly related approaches, though the latter is less explored. This chapter presents an evaluation of a test-driven security risk assessment approach to assess how useful testing is for validating and correcting security risk models. Based on the guidelines for case study research, two industrial case studies were analyzed: a multilingual financial web application and a mobile financial application. In both case studies, the testing yielded new information, which was not found in the risk assessment phase. In the first case study, new vulnerabilities were found that resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.

[1]  Riccardo Scandariato,et al.  Threat analysis of software systems: A systematic literature review , 2018, J. Syst. Softw..

[2]  Jürgen Großmann,et al.  Recent Results on Classifying Risk-Based Testing Approaches , 2018, ArXiv.

[3]  Dimitris Gritzalis,et al.  Exiting the Risk Assessment Maze , 2018, ACM Comput. Surv..

[4]  Ruth Breu,et al.  Model‐based security testing: a taxonomy and systematic classification , 2016, Softw. Test. Verification Reliab..

[5]  Michael Felderer,et al.  Risk orientation in software testing processes of small and medium enterprises: an exploratory and comparative study , 2015, Software Quality Journal.

[6]  Jürgen Großmann,et al.  Combining Security Risk Assessment and Security Testing Based on Standards , 2015, RISK.

[7]  Jürgen Großmann,et al.  Combining Risk Analysis and Security Testing , 2014, ISoLA.

[8]  Fredrik Seehusen A Technique for Risk-Based Test Procedure Identification, Prioritization and Selection , 2014, ISoLA.

[9]  Ina Schieferdecker,et al.  A taxonomy of risk-based testing , 2014, International Journal on Software Tools for Technology Transfer.

[10]  Yan Li,et al.  Approaches for the combined use of risk analysis and testing: a systematic literature review , 2014, International Journal on Software Tools for Technology Transfer.

[11]  Jürgen Großmann,et al.  A Trace Management Platform for Risk-Based Security Testing , 2013, RISK@ICTSS.

[12]  Bruno Legeard,et al.  A taxonomy of model‐based testing approaches , 2012, Softw. Test. Verification Reliab..

[13]  Austen Rainer,et al.  Case Study Research in Software Engineering - Guidelines and Examples , 2012 .

[14]  Ketil Stølen,et al.  The CORAS Tool , 2011 .

[15]  Norman F. Schneidewind RISK-DRIVEN SOFTWARE TESTING AND RELIABILITY , 2007 .

[16]  Yu Qi,et al.  Source code-based software risk assessing , 2005, SAC '05.