A Concept for Language-Oriented Security Testing

Today's ongoing trend towards intense usage of web service based applications in daily business and everybody's daily life poses new challenges for security testing. Additionally, such applications mostly not execute in their own runtime environment but instead are deployed in some data center, run alongside multiple other applications, and serve different purposes for sundry user domains with diverging security requirements. As a consequence, security testing also has to adapt to be able to meet the necessary requirements for each application in its domain and its specific security requirements. In addition, security testing needs to be feasible for both service providers and consumers. In our paper we identify drawbacks of existing security testing approaches and provide directions for meeting emerging challenges in future security testing approaches. We also introduce and describe the idea of language-oriented security testing, a novel testing approach building upon domain-specific languages and domain knowledge to meet future requirements in security testing.

[1]  Mitsuhisa Sato,et al.  D-Cloud: Design of a Software Testing Environment for Reliable Distributed Systems Using Cloud Computing Technology , 2010, 2010 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing.

[2]  Jan Jürjens,et al.  Specification-Based Testing of Firewalls , 2001, Ershov Memorial Conference.

[3]  Wei-Tek Tsai,et al.  Testing as a Service over Cloud , 2010, 2010 Fifth IEEE International Symposium on Service Oriented System Engineering.

[4]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[5]  J. Lloyd Foundations of Logic Programming , 1984, Symbolic Computation.

[6]  Ossi Taipale,et al.  Research Issues for Software Testing in the Cloud , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[7]  Aruna Raja,et al.  Domain Specific Languages , 2010 .

[8]  Jan Jürjens,et al.  Specification-Based Test Generation for Security-Critical Systems Using Mutations , 2002, ICFEM.

[9]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[10]  Herbert H. Thompson,et al.  Why Security Testing Is Hard , 2003, IEEE Secur. Priv..

[11]  Tiziana Margaria,et al.  Leveraging Applications of Formal Methods, Verification and Validation. Technologies for Mastering Change , 2012, Lecture Notes in Computer Science.

[12]  Weider D. Yu,et al.  Trustworthy Web services based on testing , 2005, IEEE International Workshop on Service-Oriented System Engineering (SOSE'05).

[13]  John W. Lloyd,et al.  A Basis for Deductive Database Systems II , 1986, J. Log. Program..

[14]  Neil Thompson,et al.  Risk Based E-Business Testing , 2002 .

[15]  Ruth Breu,et al.  Security Testing by Telling TestStories , 2010, Modellierung.

[16]  Ruth Breu,et al.  A Generic Platform for Model-Based Regression Testing , 2012, ISoLA.

[17]  Jian Yang,et al.  A Model-Based Fuzz Framework to the Security Testing of TCG Software Stack Implementations , 2009, 2009 International Conference on Multimedia Information Networking and Security.

[18]  Tony Chao Shan,et al.  SOA in Practice , 2008, ENASE.

[19]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[20]  Nuno Laranjeiro,et al.  Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services , 2009, 2009 IEEE International Conference on Services Computing.

[21]  Fabrice Bouquet,et al.  An Access Control Model Based Testing Approach for Smart Card Applications: Results of the POSÉ Project , 2010, IAS 2010.

[22]  Elfriede Dustin,et al.  The Art of Software Security Testing: Identifying Software Security Flaws , 2006 .

[23]  Tom Mens,et al.  A Taxonomy of Model Transformation , 2006, GRaMoT@GPCE.

[24]  Sébastien Salva,et al.  An Approach Dedicated for Web Service Security Testing , 2010, 2010 Fifth International Conference on Software Engineering Advances.

[25]  Yves Le Traon,et al.  Testing Security Policies: Going Beyond Functional Testing , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).

[26]  Jens Grabowski,et al.  On the Standardization of a Testing Framework for Application Deployment on Grid and Cloud Infrastructures , 2010, 2010 Second International Conference on Advances in System Testing and Validation Lifecycle.

[27]  Gu Tian-yang,et al.  Research on Software Security Testing , 2010 .

[28]  Shing-Chi Cheung,et al.  Constructing and testing privacy-aware services in a cloud computing environment: challenges and opportunities , 2009, Internetware.

[29]  John W. Lloyd,et al.  A Basis for Deductive Database Systems , 1985, J. Log. Program..

[30]  George Candea,et al.  Cloud9: a software testing service , 2010, OPSR.

[31]  Marco Vieira,et al.  Detecting SQL Injection Vulnerabilities in Web Services , 2009, 2009 Fourth Latin-American Symposium on Dependable Computing.

[32]  Martin P. Ward Language-Oriented Programming , 1994, Softw. Concepts Tools.

[33]  Yves Le Traon,et al.  Testing Security Policies: Going Beyond Functional Testing , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).

[34]  Yves Le Traon,et al.  Model-Based Tests for Access Control Policies , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[35]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[36]  Ruth Breu,et al.  Cloud risk analysis by textual models , 2012, MDHPCL '12.

[37]  Rafal Wojtczuk,et al.  Following the White Rabbit : Software attacks against Intel ( R ) VT-d technology , 2011 .

[38]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[39]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[40]  Gary McGraw,et al.  Software Security Testing , 2004, IEEE Secur. Priv..

[41]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[42]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[43]  Eelco Visser,et al.  Language extension and composition with language workbenches , 2010, SPLASH/OOPSLA Companion.

[44]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[45]  Jacques Julliand,et al.  Generating security tests in addition to functional tests , 2008, AST '08.

[46]  Jürgen Großmann,et al.  Model-Based Security Testing , 2012, MBT.

[47]  Ruth Breu,et al.  A Classification for Model-Based Security Testing , 2011 .

[48]  Jim Waldo,et al.  A Note on Distributed Computing , 1996, Mobile Object Systems.

[49]  Philipp Zech Risk-Based Security Testing in Cloud Computing Environments , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[50]  Ståle Amland Risk-based testing: : Risk analysis fundamentals and metrics for software testing including a financial application case study , 2000, J. Syst. Softw..

[51]  Ajay Rana,et al.  Empirical evaluation of cloud-based testing techniques: a systematic review , 2012, SOEN.

[52]  Konstantin Solomatov,et al.  Language Modularization and Composition with Projectional Language Workbenches illustrated with MPS , 2010 .

[53]  Tariq M. King,et al.  Migrating Autonomic Self-Testing to the Cloud , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[54]  Martin Odersky,et al.  Programming in Scala , 2008 .

[55]  Dianxiang Xu,et al.  Automated Security Test Generation with Formal Threat Models , 2012, IEEE Transactions on Dependable and Secure Computing.

[56]  Jan Jürjens Model-based Security Testing Using UMLsec: A Case Study , 2008, Electron. Notes Theor. Comput. Sci..