论文信息 - Assessing the Usefulness of Testing for Validating and Correcting Security Risk Models Based on Two Industrial Case Studies

Assessing the Usefulness of Testing for Validating and Correcting Security Risk Models Based on Two Industrial Case Studies

The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two industrial case studies. In the first case study the authors analyzed a multilingual financial Web application, while in the second case study they analyzed a mobile financial application. In both case studies, the testing yielded new information which was not found in the risk assessment phase. In particular, in the first case study, new vulnerabilities were found which resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.

Ketil Stølen | Gencer Erdogan | Fredrik Seehusen | Jan Øyvind Aagedal | Jon Hofstad

[1] Yu Qi,et al. Source code-based software risk assessing , 2005, SAC '05.

[2] Austen Rainer,et al. Case Study Research in Software Engineering - Guidelines and Examples , 2012 .

[3] K. Barraclough. Eclipse , 2006, BMJ : British Medical Journal.

[4] Fredrik Seehusen. A Technique for Risk-Based Test Procedure Identification, Prioritization and Selection , 2014, ISoLA.

[5] Yan Li,et al. Approaches for the combined use of risk analysis and testing: a systematic literature review , 2014, International Journal on Software Tools for Technology Transfer.

[6] Jürgen Großmann,et al. Combining Risk Analysis and Security Testing , 2014, ISoLA.

[7] Ketil Stølen,et al. Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[8] Anne Marsden,et al. International Organization for Standardization , 2014 .

[9] Norman F. Schneidewind. RISK-DRIVEN SOFTWARE TESTING AND RELIABILITY , 2007 .

[10] Ina Schieferdecker,et al. A taxonomy of risk-based testing , 2014, International Journal on Software Tools for Technology Transfer.

[11] Jürgen Großmann,et al. A Trace Management Platform for Risk-Based Security Testing , 2013, RISK@ICTSS.

[12] Ketil Stølen,et al. The CORAS Tool , 2011 .