TESEM: A Tool for Verifying Security Design Pattern Applications by Model Testing

Because software developers are not necessarily security experts, identifying potential threats and vulnerabilities in the early stage of the development process (e.g., the requirement- or design-phase) is insufficient. Even if these issues are addressed at an early stage, it does not guarantee that the final software product actually satisfies security requirements. To realize secure designs, we propose extended security patterns, which include requirement-and design-level patterns as well as a new model testing process. Our approach is implemented in a tool called TESEM (Test Driven Secure Modeling Tool), which supports pattern applications by creating a script to execute model testing automatically. During an early development stage, the developer specifies threats and vulnerabilities in the target system, and then TESEM verifies whether the security patterns are properly applied and assesses whether these vulnerabilities are resolved.

[1]  Arne-Michael Torsel A Testing Tool for Web Applications Using a Domain-Specific Modelling Language and the NuSMV Model Checker , 2013, ICST 2013.

[2]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[3]  Byoungju Choi,et al.  Performance testing based on test-driven development for mobile applications , 2009, ICUIMC '09.

[4]  Jing Dong,et al.  Automated verification of security pattern compositions , 2010, Inf. Softw. Technol..

[5]  Nobukazu Yoshioka,et al.  Effective Security Impact Analysis with Patterns for Software Enhancement , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[6]  Arne-Michael Törsel A Testing Tool for Web Applications Using a Domain-Specific Modelling Language and the NuSMV Model Checker , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[7]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[8]  Hironori Washizaki,et al.  Validating Security Design Pattern Applications by Testing Design Models , 2014, Int. J. Secur. Softw. Eng..

[9]  Jing Dong,et al.  Verifying Behavioral Correctness of Design Pattern Implementation , 2008, SEKE.

[10]  Martin Gogolla,et al.  USE: A UML-based specification environment for validating UML and OCL , 2007, Sci. Comput. Program..

[11]  Nobukazu Yoshioka,et al.  Misuse Cases + Assets + Security Goals , 2009, 2009 International Conference on Computational Science and Engineering.

[12]  Anneke Kleppe,et al.  The object constraint language: precise modeling with UML , 1998 .

[13]  Barry W. Boehm,et al.  Discipline and practices of TDD: (test driven development) , 2003, OOPSLA '03.