Risk-driven security testing using risk analysis with threat modeling approach

被引:4
|
作者
Palanivel, Maragathavalli [1 ]
Selvadurai, Kanmani [1 ]
机构
[1] Pondicherry Engn Coll, Dept Informat Technol, Pondicherry, India
来源
SPRINGERPLUS | 2014年 / 3卷
关键词
Security testing; Risk analysis; System states; Risk-driven; Threat modeling; STRIDE; Test suite;
D O I
10.1186/2193-1801-3-754
中图分类号
O [数理科学和化学]; P [天文学、地球科学]; Q [生物科学]; N [自然科学总论];
学科分类号
07 ; 0710 ; 09 ;
摘要
Security testing is a process of determining risks present in the system states and protects them from vulnerabilities. But security testing does not provide due importance to threat modeling and risk analysis simultaneously that affects confidentiality and integrity of the system. Risk analysis includes identification, evaluation and assessment of risks. Threat modeling approach is identifying threats associated with the system. Risk-driven security testing uses risk analysis results in test case identification, selection and assessment to prioritize and optimize the testing process. Threat modeling approach, STRIDE is generally used to identify both technical and non-technical threats present in the system. Thus, a security testing mechanism based on risk analysis results using STRIDE approach has been proposed for identifying highly risk states. Risk metrics considered for testing includes risk impact, risk possibility and risk threshold. Risk threshold value is directly proportional to risk impact and risk possibility. Risk-driven security testing results in reduced test suite which in turn reduces test case selection time. Risk analysis optimizes the test case selection and execution process. For experimentation, the system models namely LMS, ATM, OBS, OSS and MTRS are considered. The performance of proposed system is analyzed using Test Suite Reduction Rate (TSRR) and FSM coverage. TSRR varies from 13.16 to 21.43% whereas FSM coverage is achieved up to 91.49%. The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.
引用
收藏
页码:1 / 14
页数:14
相关论文
共 50 条
  • [21] Risk-driven maintenance management
    McManus, SM
    Grushka, MJ
    CHEMICAL ENGINEERING, 2001, 108 (13) : 64 - 68
  • [22] Risk-Driven Vulnerability Testing: Results from eHealth Experiments Using Patterns and Model-Based Approach
    Vernotte, Alexandre
    Botea, Cornel
    Legeard, Bruno
    Molnar, Arthur
    Peureux, Fabien
    RISK ASSESSMENT AND RISK-DRIVEN TESTING, 2015, 9488 : 93 - 109
  • [23] Risk-driven architectural decomposition
    Heyman, Thomas
    Scandariato, Riccardo
    Joosen, Wouter
    2009 INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY, AND SECURITY (ARES), VOLS 1 AND 2, 2009, : 363 - 368
  • [24] Towards Risk-Driven Security Requirements Management in Agile Software Development
    Ionita, Dan
    van der Velden, Coco
    Ikkink, Henk-Jan Klein
    Neven, Eelko
    Daneva, Maya
    Kuipers, Michael
    INFORMATION SYSTEMS ENGINEERING IN RESPONSIBLE INFORMATION SYSTEMS, CAISE FORUM 2019, 2019, 350 : 133 - 144
  • [25] Risk-Driven Security Metrics Development for Software-Defined Networking
    Savola, Reijo M.
    Savolainen, Pekka
    ECSA 2018: PROCEEDINGS OF THE 12TH EUROPEAN CONFERENCE ON SOFTWARE ARCHITECTURE: COMPANION PROCEEDINGS, 2018,
  • [26] An information security risk-driven investment model for analysing human factors
    Alavi, Reza
    Islam, Shareeful
    Mouratidis, Haralambos
    INFORMATION AND COMPUTER SECURITY, 2016, 24 (02) : 205 - 227
  • [27] Insider Threat Modeling: An Adversarial Risk Analysis Approach
    Joshi, Chaitanya
    Aliaga, Jesus Rios
    Insua, David Rios
    IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, 2021, 16 : 1131 - 1142
  • [28] A Risk-driven Selection Approach for Transactional Web Service Composition
    Liu, Hai
    Zhang, Weimin
    Ren, Kaijun
    Liu, Cancan
    Zhang, Zhuxi
    2009 EIGHTH INTERNATIONAL CONFERENCE ON GRID AND COOPERATIVE COMPUTING, PROCEEDINGS, 2009, : 391 - +
  • [29] Toward Socially Meaningful Case Conceptualization: The Risk-Driven Approach
    Rachel S. Taylor
    Richard A. Colombo
    Michele Wallace
    Benjamin Heimann
    Ashton Benedickt
    Allyson Moore
    Behavior Analysis in Practice, 2023, 16 : 1022 - 1033
  • [30] Toward Socially Meaningful Case Conceptualization: The Risk-Driven Approach
    Taylor, Rachel S.
    Colombo, Richard A.
    Wallace, Michele
    Heimann, Benjamin
    Benedickt, Ashton
    Moore, Allyson
    BEHAVIOR ANALYSIS IN PRACTICE, 2023, 16 (04) : 1022 - 1033