Testing Security Requirements with Non-experts: Approaches and Empirical Investigations

Security testing has become a critical quality assurance technique to provide a sufficient degree of security. However, it is regarded to be too complex to be performed by system testers, who are non-experts in security. This paper provides two approaches to testing security requirements, one based on a Failure Modes, Vulnerabilities and Effect Analysis (FMVEA) and the other based on misuse cases, both suitable for testers who have domain knowledge but are not security experts. We perform a controlled experiment to empirically compare the two testing approaches based on the quality of the derived test cases. The results of the experiment show that the use of attack patterns in the misuse-case-based approach delivers test cases with a better alignment between requirements and security test cases as well as a higher amount of correct test cases.

[1]  Ludovic Piètre-Cambacédès,et al.  Cross-fertilization between safety and security engineering , 2013, Reliab. Eng. Syst. Saf..

[2]  Rudolf Ramler,et al.  The Role of Experience in Software Testing Practice , 2008, 2008 34th Euromicro Conference Software Engineering and Advanced Applications.

[3]  Michael Felderer,et al.  On the Role of Defect Taxonomy Types for Testing Requirements: Results of a Controlled Experiment , 2014, 2014 40th EUROMICRO Conference on Software Engineering and Advanced Applications.

[4]  Claes Wohlin,et al.  Using Students as Subjects—A Comparative Study of Students and Professionals in Lead-Time Impact Assessment , 2000, Empirical Software Engineering.

[5]  Jürgen Großmann,et al.  Combining Risk Analysis and Security Testing , 2014, ISoLA.

[6]  Vyacheslav S. Kharchenko,et al.  F(I)MEA-Technique of Web Services Analysis and Dependability Ensuring , 2006, RODIN Book.

[7]  Boris Beizer,et al.  Software Testing Techniques , 1983 .

[8]  Robert B. Grady,et al.  Practical Software Metrics for Project Management and Process Improvement , 1992 .

[9]  Michael Felderer,et al.  Mutual knowledge transfer between industry and academia to improve testing with defect taxonomies , 2015, Software Engineering & Management.

[10]  Gary McGraw,et al.  Software Security Testing , 2004, IEEE Secur. Priv..

[11]  Anca Deak,et al.  A Comparative Study of Testers' Motivation in Traditional and Agile Software Development , 2014, PROFES.

[12]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[13]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[14]  Bernhard Peischl,et al.  Testing of Safety-Critical Systems - a Structural Approach to Test Case Design , 2011, SSS.

[15]  Ruth Breu,et al.  Security Testing: A Survey , 2016, Adv. Comput..

[16]  Derk-Jan de Grood TestGoal - result-driven testing , 2008 .

[17]  Franz Wotawa,et al.  GUI savvy end-to-end testing with smart monkeys , 2009, 2009 ICSE Workshop on Automation of Software Test.