Testing Security Policies for Web Applications

Due to the increasing complexity of Web systems, security testing is becoming a critical activity to guarantee the respect of such systems to their security requirements. To challenge this issue, we rely in this paper on model based active testing. We first specify the Web system behavior using IF formalism. Second, we integrate security rules -modeled in Nomad language- within this IF model using specific algorithms. Then, we perform automatic test generation using a dedicated tool, called HJ2If, developed in our laboratory. Finally, we briefly present a Travel agency system as an ongoing case study to demonstrate the reliability of our framework.

[1]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[2]  Nora Cuppens-Boulahia,et al.  Nomad: a security model with non atomic actions and deadlines , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[3]  P. Chevalley,et al.  Automated generation of statistical test cases from UML state diagrams , 2001, 25th Annual International Computer Software and Applications Conference. COMPSAC 2001.

[4]  Iulian Ober,et al.  IF Validation Environment Tutorial , 2004, SPIN.

[5]  Ana R. Cavalli,et al.  A formal approach for testing security rules , 2007, SACMAT '07.