Security Threat Identification and Testing

Roberto Carbone, Luca Compagna, A. Panichella, Serena Elisa Ponta

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

Abstract

Business applications are more and more collaborative (cross-domains, cross-devices, service composition). Security shall focus on the overall application scenario including the interplay between its entities/devices/services, not only on the isolated systems within it. In this paper we propose the Security Threat Identification And TEsting (STIATE) toolkit to support development teams toward security assessment of their under-development applications focusing on subtle security logic flaws that may go undetected by using current industrial technology. At design-time, STIATE supports the development teams toward threat modeling and analysis by identifying automatically potential threats (via model checking and mutation techniques) on top of sequence diagrams enriched with security annotations (including WHAT-IF conditions). At run-time, STIATE supports the development teams toward testing by exploiting the identified threats to automatically generate and execute test cases on the up and running application. We demonstrate the usage of the STIATE toolkit on an application scenario employing the SAML Single Sign-On multi-party protocol, a well-known industrial security standard largely studied in previous literature.
Original languageEnglish
Title of host publicationIEEE 8th International Conference on Software Testing, Verification and Validation
PublisherIEEE
Pages1-8
ISBN (Electronic)978-1-4799-7125-1
DOIs
Publication statusPublished - 7 May 2015
EventICST 2015: 8th International Conference on Software Testing, Verification and Validation - Graz, Australia
Duration: 13 Apr 201517 Apr 2015
Conference number: 8

Conference

ConferenceICST 2015: 8th International Conference on Software Testing, Verification and Validation
Abbreviated titleICST 2015
CountryAustralia
CityGraz
Period13/04/1517/04/15

Keywords

  • Security Threat
  • Security Testing

Fingerprint Dive into the research topics of 'Security Threat Identification and Testing'. Together they form a unique fingerprint.

Cite this