期刊文献+
共找到10篇文章
< 1 >
每页显示 20 50 100
A Framework for Systematic Classification of Assets for Security Testing 被引量:2
1
作者 Sadeeq Jan Omer Bin Tauqeer +5 位作者 Fazal Qudus Khan George Tsaramirsis Awais Ahmad Iftikhar Ahmad Imran Maqsood Niamat Ullah 《Computers, Materials & Continua》 SCIE EI 2021年第1期631-645,共15页
Over the last decade,a significant increase has been observed in the use of web-based Information systems that process sensitive information,e.g.,personal,financial,medical.With this increased use,the security of such... Over the last decade,a significant increase has been observed in the use of web-based Information systems that process sensitive information,e.g.,personal,financial,medical.With this increased use,the security of such systems became a crucial aspect to ensure safety,integrity and authenticity of the data.To achieve the objectives of data safety,security testing is performed.However,with growth and diversity of information systems,it is challenging to apply security testing for each and every system.Therefore,it is important to classify the assets based on their required level of security using an appropriate technique.In this paper,we propose an asset security classification technique to classify the System Under Test(SUT)based on various factors such as system exposure,data criticality and security requirements.We perform an extensive evaluation of our technique on a sample of 451 information systems.Further,we use security testing on a sample extracted from the resulting prioritized systems to investigate the presence of vulnerabilities.Our technique achieved promising results of successfully assigning security levels to various assets in the tested environments and also found several vulnerabilities in them. 展开更多
关键词 security security testing PRIVACY asset classification
下载PDF
Comparison of SETAM with Security Use Case and Security Misuse Case:A Software Security Testing Study
2
作者 HUI Zhanwei HUANG Song 《Wuhan University Journal of Natural Sciences》 CAS 2012年第6期516-520,共5页
A software security testing behavior model,SETAM,was proposed in our previous work as the integrated model for describing software security testing requirements behavior,which is not only compatible with security func... A software security testing behavior model,SETAM,was proposed in our previous work as the integrated model for describing software security testing requirements behavior,which is not only compatible with security functions and latent typical misuse behaviors,but also with the interaction of them.In this paper,we analyze the differences between SETAM with security use case and security misuse case in different types of security test requirements.To illustrate the effectiveness of SETAM,we compare them in a practical case study by the number of test cases and the number of faults detected by them.The results show that SETAM could decrease about 34.87% use cases on average,and the number of faults detected by SETAM increased by 71.67% in average,which means that our model can detect more faults with fewer test cases for software security testing. 展开更多
关键词 security testing security use case security misuse case software security testing behavior model security testing requirement
原文传递
Cloud Platform Based Automated Security Testing System for Mobile Internet
3
作者 Dan Tao Zhaowen Lin Cheng Lu 《Tsinghua Science and Technology》 SCIE EI CAS CSCD 2015年第6期537-544,共8页
With respect to security, the use of various terminals in the mobile Internet environment is problematic.Traditional terminal testing methods cannot simulate actual testing environments; thus, the test results do not ... With respect to security, the use of various terminals in the mobile Internet environment is problematic.Traditional terminal testing methods cannot simulate actual testing environments; thus, the test results do not accurately reflect the security of terminals. To address this problem, we designed and developed a cloud platform based automated testing system for the mobile Internet. In this system, virtualization and automation technology are utilized to integrate mobile terminals into the cloud platform as a resource, to achieve a novel cloud service called Testing as a Service(Taa S). The system consists of three functional modules: web front-end module, testing environment module, and automated testing module. We adopted the permeable automated testing tool Metasploit to perform security testing. In our test experiments, we selected 100 apps with diverse vulnerability levels, ranging from secure to vulnerable, to perform a series of functional tests. The experimental results show that this system can correctly test both the number of vulnerable apps and their corresponding vulnerability levels. As such, the designed system can flexibly configure various testing environments for different testing cases or projects, and thereby perform security testing automatically. 展开更多
关键词 automated security testing cloud platform virtuali
原文传递
Hybrid Security Assessment Methodology for Web Applications 被引量:1
4
作者 Roddy A.Correa Juan Ramon Bermejo Higuera +3 位作者 Javier Bermejo Higuera Juan Antonio SiciliaMontalvo Manuel Sanchez Rubio A.Alberto Magrenan 《Computer Modeling in Engineering & Sciences》 SCIE EI 2021年第1期89-124,共36页
This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessment... This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks. 展开更多
关键词 Web applications security vulnerability WEAKNESS security analysis white box black box interactive application security testing static application security testing dynamic application security testing
下载PDF
Combinatorial Method with Static Analysis for Source Code Security in Web Applications
5
作者 Juan Ramon Bermejo Higuera Javier Bermejo Higuera +3 位作者 Juan Antonio Sicilia Montalvo Tomas Sureda Riera Christopher I.Argyros A.Alberto Magrenan 《Computer Modeling in Engineering & Sciences》 SCIE EI 2021年第11期541-565,共25页
Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source cod... Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques. 展开更多
关键词 WEAKNESS BENCHMARK security testing analysis comparative methodology tools combination web application
下载PDF
SMINER:Detecting Unrestricted and Misimplemented Behaviors of Software Systems Based on Unit Test Cases
6
作者 Kyungmin Sim Jeong Hyun Yi Haehyun Cho 《Computers, Materials & Continua》 SCIE EI 2023年第5期3257-3274,共18页
Despite the advances in automated vulnerability detection approaches,security vulnerabilities caused by design flaws in software systems are continuously appearing in real-world systems.Such security design flaws can ... Despite the advances in automated vulnerability detection approaches,security vulnerabilities caused by design flaws in software systems are continuously appearing in real-world systems.Such security design flaws can bring unrestricted and misimplemented behaviors of a system and can lead to fatal vulnerabilities such as remote code execution or sensitive data leakage.Therefore,it is an essential task to discover unrestricted and misimplemented behaviors of a system.However,it is a daunting task for security experts to discover such vulnerabilities in advance because it is timeconsuming and error-prone to analyze the whole code in detail.Also,most of the existing vulnerability detection approaches still focus on detecting memory corruption bugs because these bugs are the dominant root cause of software vulnerabilities.This paper proposes SMINER,a novel approach that discovers vulnerabilities caused by unrestricted and misimplemented behaviors.SMINER first collects unit test cases for the target system from the official repository.Next,preprocess the collected code fragments.SMINER uses pre-processed data to show the security policies that can occur on the target system and creates a test case for security policy testing.To demonstrate the effectiveness of SMINER,this paper evaluates SMINER against Robot Operating System(ROS),a real-world system used for intelligent robots in Amazon and controlling satellites in National Aeronautics and Space Administration(NASA).From the evaluation,we discovered two real-world vulnerabilities in ROS. 展开更多
关键词 security vulnerability test case generation security policy test robot operating system vulnerability assessment
下载PDF
Worst-Input Mutation Approach to Web Services Vulnerability Testing Based on SOAP Messages 被引量:2
7
作者 Jinfu Chen Huanhuan Wang +3 位作者 Dave Towey Chengying Mao Rubing Huang Yongzhao Zhan 《Tsinghua Science and Technology》 SCIE EI CAS 2014年第5期429-441,共13页
The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces th... The growing popularity and application of Web services have led to increased attention regarding the vulnerability of software based on these services. Vulnerability testing examines the trustworthiness and reduces the security risks of software systems. This paper proposes a worst-input mutation approach for testing Web service vulnerability based on Simple Object Access Protocol (SOAP) messages. Based on characteristics of SOAP messages, the proposed approach uses the farthest neighbor concept to guide generation of the test suite. The corresponding automatic test case generation algorithm, namely, the Test Case generation based on the Farthest Neighbor (TCFN), is also presented. The method involves partitioning the input domain into sub-domains according to the number and type of SOAP message parameters in the TCFN, selecting the candidate test case whose distance is the farthest from all executed test cases, and applying it to test the Web service. We also implement and describe a prototype Web service vulnerability testing tool. The tool was applied to the testing of Web services on the Internet. The experimental results show that the proposed approach can find more vulnerability faults than other related approaches. 展开更多
关键词 security testing Web service vulnerability SOAP message test case generation mutation operator
原文传递
Sifu-a cybersecurity awareness platform with challenge assessment and intelligent coach
8
作者 Tiago Espinha Gasiba Ulrike Lechner Maria Pinto-Albuquerque 《Cybersecurity》 CSCD 2020年第1期333-355,共23页
Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the soft... Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding. 展开更多
关键词 CYBERsecurity AWARENESS Training Artificial intelligence Serious games Secure coding Static application security testing Capture-the-flag Software development in industry
原文传递
Sifu-a cybersecurity awareness platform with challenge assessment and intelligent coach
9
作者 Tiago Espinha Gasiba Ulrike Lechner Maria Pinto-Albuquerque 《Cybersecurity》 2018年第1期945-967,共23页
Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the soft... Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding. 展开更多
关键词 CYBERsecurity AWARENESS Training Artificial intelligence Serious games Secure coding Static application security testing Capture-the-flag Software development in industry
原文传递
High-Order Bit Independence Criterion Test for the S-boxes
10
作者 GAO Sheng MA Wenping ZHU Jiwei 《Wuhan University Journal of Natural Sciences》 CAS 2011年第5期447-451,共5页
A new security test for the substitution boxes (S-boxes) high-order bit independence criterion (HOBIC) test, is presented. Different from the previous security tests for S-boxes, the HOBIC test can be used to meas... A new security test for the substitution boxes (S-boxes) high-order bit independence criterion (HOBIC) test, is presented. Different from the previous security tests for S-boxes, the HOBIC test can be used to measure the strength of an S-box against attacks that keep some of its input bits constant. Test results over the S-boxes of Data Encryption Standard (DES) and Advanced Encryption Standard (AES) are given and some possible applications of the HOBIC test are analyzed. Meanwhile, the source code for a basic version of the HOBIC test is also provided, the implement process of which shows that it is very fast and efficient for practical applications . 展开更多
关键词 CRYPTOGRAPHY Boolean functions S-boxes highorder bit independence criterion (HOBIC) security test
原文传递
上一页 1 下一页 到第
使用帮助 返回顶部