• No results found

Empirical study on risk analysis in security testing

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Empirical study on risk analysis in security testing"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)
(2)

Full Length Research Article

EMPIRICAL STUDY ON RISK ANALYSIS IN SECURITY TESTING

*Maragathavalli, P. and Dr. Kanmani, S.

Department of Information Technology, Pondicherry Engineering College, Puducherry

ARTICLE INFO ABSTRACT

Testing is the process of detecting errors present in a system with the given sample input. Risk is the vulnerability associated with the system and the type of testing which uncovers it is called security testing. Risk analysis is the process of determining the level of risk with the available information. Risk-based testing comprises of risk analysis, which is a part of model based testing and involves risk assessment. Risk analysis and security testing can be combined in two ways namely: Risk-driven Security Testing (RST) and Test-driven Security Risk (TSR) analysis. In RST, security testing is supported by risk analysis to make it more effective. The testing is focused on the most important parts of the system which is identified by the risk analysis results. In TSR, security testing develops or validates risk analysis. TSR focuses to strengthen the correctness of risk analysis models. The gap between high-level security risk analysis models and low-level security test cases can be easily addressed by both TSR and RST approaches.

Copyright © 2014 Maragathavalli et al.This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted

use, distribution, and reproduction in any medium, provided the original work is properly cited.

INTRODUCTION

Testing is the process of analyzing the result of a system for particular test data. Testing result may identify the errors present in system functionalities. But the risk associated with the system can also make a system defective and the type of testing which helps to identify the defects and minimize them is known as security testing. Risk is the possibility of attack to a system and the process of determining the vulnerabilities present is called Risk analysis. In order to make a system less vulnerable to the risks, security testing and risk analysis is combined into two approaches namely: Risk-Driven Security

Testing (RST) and Test-Driven Security Risk Analysis (TSR). RST is a part of Risk-based testing which uses risk analysis results for test case identification and selection for optimizing the test process (Ina Schieferdecker et al., 2011). It bridges the hierarchy between risk analysis and security testing since the essential risk factors might be missed if risk analysis remains at a high level (Jan Stijohann and Jorge Cuellar, 2013). TSR focuses mainly on risk analysis where testing process is carried out to validate risk models. Figure 1 shows the design of RST. RST is defined as Model-Based Security Testing

*Corresponding author: Maragathavalli, P.

Assistant Professor, Department of Information Technology, Pondicherry Engineering College, Puducherry

(MBST) that uses risk analysis within the security testing process (Yan, 212). MBST is a special form of Model- based testing (MBT) (Tim Miller and Paul Strooper, 2007) that focuses on the testing of security properties of a system (Jurgen Grobmann et al., 2013).

The first two steps deals with the identification of test objectives and model. It is followed by Risk assessment which identifies the risk associated with the system. The result from the risk assessment is used for test case generation and prioritization. It is again subjected to risk assessment and the significant test cases are executed. Figure 2 shows the design of TSR. In TSR, risk analysis is supported by security testing in order to develop or validate risk models. The first step is to find the target system for risk analysis. It is followed by test case generation and execution for the development of risk models by identifying potential risks which is subjected to risk assessment. The testing process is again repeated to validate risk models which are then subjected to risk treatment.

Literature Survey

Table 1 describes about the survey on risk analysis in security testing and its role in various Risk-Based Testing approaches.

ISSN:

2230-9926

International Journal of Development Research

Vol. 4, Issue, 9, pp. 1799-1801, September,2014

International Journal of

DEVELOPMENT RESEARCH

Article History:

Received 12th June, 2014

Received in revised form 07th July, 2014

Accepted 21st August, 2014

Published online 30th September, 2014

Key words:

Risk analysis, Risk-driven, Test-driven, Security testing, Risk-based testing

(3)

Table 1. Study on Risk-based Security Testing

S. no. Title Year Techniques Description of the Technique Metrics Systems/ Models used 1 Risk-driven

Security Testing versus Test-driven Security Risk Analysis

Feb 15, 2012 Risk-driven security testing and Test-driven security risk analysis

In RST security testing is supported by security risk assessment in order to make security testing more effective. The aim is to focus the security testing process to carry out security tests on the most important parts of the system under test, and to execute only the most important security test cases.

In TSR security risk analysis is supported by security testing in order to develop and/or validate risk models. The aim is to strengthen the correctness of the security risk analysis models. Confidentiality , Integrity, Availability and Accountability.

Industrial Case Study.

2 Baseline for Compositional Test-Based Security Risk Assessment

Jan 31, 2013 Table based risk assessment technique

This approach mainly focuses on verifying risk mitigations and providing a clear traceability between risk-related requirements and the test cases.

The table consists of a description of the risk related requirement, the risk, the risk level, the risk mitigation and identifiers for the test cases that have the objective to verify the risk mitigation. Risk identification, Risk Analysis, Risk Evaluation and Risk Treatment Common Vulnerability Scoring system

3 Baseline for Compositional Risk-Based Security Testing

Jan 31, 2013 Risk-based vulnerability testing

The objectives of this paper are: • To use techniques addressing both risk-based test identification and test prioritization to drive the overall testing generation process. For this purpose, CORAS capabilities are extended to allow the guidance of security test generation techniques on the basis of risk assessment results. • To drive model-based testing generation using risk assessment results in order to generate vulnerability test purposes and test cases. This novel approach is called risk-based vulnerability testing (RBVT).

• To drive behavioural fuzzing testing approaches using models annotated by security information coming from risk assessment results. This novel approach is called risk-based fuzzing.

• To define a dedicated methodology for security testing metrics and to elaborate a dashboard for presenting the security testing results based on risk assessment. Severity, Testability, Uncertainty, reusability Scalable network system

4 Risk-based Statistical Testing: A Refinement based Approach to the Reliability Analysis of

Safety-Critical Systems

May 2009 Model-based statistical testing, Markov chain test models

In this paper, a method is presented that allows to automatically generate test cases for risk-based testing of safety critical systems and it utilizes Model-based Statistical Testing which uses Markov chain test models to describe the stimulation and usage profile of the system under test (SUT). Our goal is the generation of test cases that trigger a certain critical situation. These test cases are called critical test

Cases.

Safety Integrity Level (SIL)

Critical systems like fire alarm, railway control system

5 Effort-dependent technologies for multi-domain risk-based security testing

Sept 27, 2010 Light weight risk and security testing

The system model is used to generate traces or test cases for

implementation, according to a test case specification. It is a selection criterion on the set of the traces of the model. The risk analysis, which is conducted on the basis of the system model, is used to define the appropriate test case specifications.

Proof-of-Performance, Proof-of-Concept, Proof-of-Existence

Security Audit of Supplier services, Maintaining security in virtual organization.

[image:3.595.51.554.78.788.2]
(4)
[image:4.595.80.258.54.284.2]

Figure 1. Risk-Driven Security Testing (RST)

Figure 2. Test-Driven Security Risk Analysis (TSR) Security Testing

Security Risk Assessment

Security Risk Assessment

Security Risk Analysis Security Testing

Security Testing

1801 International Journal of Development Research,

Driven Security Testing (RST)

Driven Security Risk Analysis (TSR)

Conclusion

Risk analysis and security testing led to two approaches namely Test-driven security risk analysis and Risk security testing where risk analysis is used to improve testing results and vice versa. It also addresses the problem of gap between high-level security risk analysis models and low security test cases. From the above survey a clear idea about RST and TSR and their areas of application are obtained. In future, a quantitative analysis on risks present in system can be made with parameters namely risk possibility, risk threshold, risk impact, severity and complexity and the technical and non-technical threats can also be considered to improve testing results effectively.

REFERENCES

Ina Schieferdecker, Jurgen Grobmann, Axel Rennoch Fraunhofer: “Model Based Security Testing Selected Considerations”, Berlin, 2011, PP. 1

Jan Stijohann and Jorge Cuellar: “Towards a Systematic Identification of Security Tests Based on Security Risk Analysis” , Siemens AG, Germany

Jurgen Grobmann, Toblas Mahler, Fredrik Seehusen, Bjonar Solhaug: “Baseline Methodologies for Legal, Compositional and Continuous Risk Assessment and Security Testing”, RASEN Baseline,

Tim Miller and Paul Strooper: “A case study in model testing of specifications and implementations”

testing, Verification and reliability Published online in Wiley Inter Science, 2007, PP. 1

Yan Li: “Conceptual Framework for Security Testing, Security Risk Analysis and their Combinations

Testing and Validation, 2012, PP. 1 Security Risk Assessment

Security Risk Assessment

Security Testing

Security Testing

*******

International Journal of Development Research, Vol. 4, Issue, 9, pp. 1799-1801, September

isk analysis and security testing led to two approaches driven security risk analysis and Risk-driven security testing where risk analysis is used to improve testing results and vice versa. It also addresses the problem of gap l security risk analysis models and low-level From the above survey a clear idea about RST and TSR and their areas of application are obtained. In future, a quantitative analysis on risks present in system can be namely risk possibility, risk threshold, risk impact, severity and complexity and the technical and technical threats can also be considered to improve testing

Ina Schieferdecker, Jurgen Grobmann, Axel Rennoch Fraunhofer: “Model Based Security Testing Selected

, 2011, PP. 1-19.

Jan Stijohann and Jorge Cuellar: “Towards a Systematic Identification of Security Tests Based on Security Risk

Siemens AG, Germany, 2013, PP. 1-6.

gen Grobmann, Toblas Mahler, Fredrik Seehusen, Bjonar Solhaug: “Baseline Methodologies for Legal, Compositional and Continuous Risk Assessment and

RASEN Baseline, 2013, PP. 1-41.

Tim Miller and Paul Strooper: “A case study in model-based fications and implementations”, Software

testing, Verification and reliability Published online in

2007, PP. 1-40.

Conceptual Framework for Security Testing, Security Risk Analysis and their Combinations”, System

2012, PP. 1-5.

(5)

Figure

Table based risk
Figure 1. Risk-Driven Security Testing (RST)Driven Security Testing (RST)

References

Download now ( PDF - 5 Page - 5.46 MB )

Related documents

Supporting Student Veterans Utilizing Participatory Curriculum Development

An organizational level program utilizing Participatory Curriculum Development (PCD) (Taylor, 2003) is presented to assist postsecondary institutions with development,

Alternative developmental toxicity models for assessing the in vivo embryotoxicity of azoles

The addition of even simple toxicokinetics, derived from the BeWo model, for evaluating the relative placental transfer rate of the tested chemicals, improved

Your wait for high-speed Internet ends here. Get HughesNet Satellite Internet

The table below compares the estimated time of typical Internet downloads using HughesNet service plans versus a 56K dial-up connection (speed based on typical response times)..

Guide to Controlled Foreign Company Regimes

The CFC regime does not apply if the Hungarian taxpayer is ultimately controlled by non-Hungarian tax residents and the majority of the foreign company’s income does not derive

Influence of Taxation Knowledge and Socialization of Imlementation PP. 46 Year 2013 on Tax Compliance for Certain WPOP Small and Medium Business (UMKM) Owner (Case Study in KPP Pratama Cengkareng, West Jakarta)

This study uses a type of causal research, the purpose is to test the hypothesis of the influence of each variable independent with dependent based on qualitative research,

How New York Drinks: If and How Third-Party Providers can Integrate with the Three-Tier System

licensee relationship violated the ABC Law where “[the] method of operation allows an unlicensed advertiser to exercise a high degree of control over the business operations of

Associations Between Body Composition and Movements During Gait in Women.

on the study of the acceleration of the body is considered to be valid and reliable for predicting the risk of falling or for discriminating between population groups with

Rapid sequestration of rock avalanche deposits within glaciers

We have shown here, using the January 2013 rock avalanche onto the Grand Plateau beneath Aoraki/Mt Cook, that GPR can be used to measure the deposit burial depth and thickness,