Abstract
Business applications are more and more collaborative (cross-domains, cross-devices, service composition). Security shall focus on the overall application scenario including the interplay between its entities/devices/services, not only on the isolated systems within it. In this paper we propose the Security Threat Identification And TEsting (STIATE) toolkit to support development teams toward security assessment of their under-development applications focusing on subtle security logic flaws that may go undetected by using current industrial technology. At design-time, STIATE supports the development teams toward threat modeling and analysis by identifying automatically potential threats (via model checking and mutation techniques) on top of sequence diagrams enriched with security annotations (including WHAT-IF conditions). At run-time, STIATE supports the development teams toward testing by exploiting the identified threats to automatically generate and execute test cases on the up and running application. We demonstrate the usage of the STIATE toolkit on an application scenario employing the SAML Single Sign-On multi-party protocol, a well-known industrial security standard largely studied in previous literature.
Original language | English |
---|---|
Title of host publication | IEEE 8th International Conference on Software Testing, Verification and Validation |
Publisher | IEEE |
Pages | 1-8 |
ISBN (Electronic) | 978-1-4799-7125-1 |
DOIs | |
Publication status | Published - 7 May 2015 |
Event | ICST 2015: 8th International Conference on Software Testing, Verification and Validation - Graz, Australia Duration: 13 Apr 2015 → 17 Apr 2015 Conference number: 8 |
Conference
Conference | ICST 2015: 8th International Conference on Software Testing, Verification and Validation |
---|---|
Abbreviated title | ICST 2015 |
Country/Territory | Australia |
City | Graz |
Period | 13/04/15 → 17/04/15 |
Keywords
- Security Threat
- Security Testing