Risk-Driven Vulnerability Testing: Results from eHealth Experiments Using Patterns and Model-Based Approach

This paper introduces and reports on an original tooled risk-driven security testing process called Pattern-driven and Model-based Vulnerability Testing. This fully automated testing process, drawing on risk-driven strategies and Model-Based Testing MBT techniques, aims to improve the capability of detection of various Web application vulnerabilities, in particular SQL injections, Cross-Site Scripting, and Cross-Site Request Forgery. It is based on a mixed modeling of the system under test: an MBT model captures the behavioral aspects of the Web application, while formalized vulnerability test patterns, selected from risk assessment results, drive the overall test generation process. An empirical evaluation, conducted on a complex and freely-accessible eHealth system developed by Info World, shows that this novel process is appropriate for automatically generating and executing risk-driven vulnerability test cases and is promising to be deployed for large-scale Web applications.