Software Security Testing via Misuse Case Modeling
Software security testing is an important technique for discovering software vulnerabilities that violate security requirements. Existing security testing methods, however, seldom generate security tests directly from security requirements specifications. To address this issue, this paper presents an approach for constructing security test models from the artifacts of misuse case modeling (i.e., use/misuse cases and mitigation use cases), which is a popular method for security requirements specification in the software development process. The security test models can then be used to automatically generate security tests, which consist of test inputs (normal behaviors from use cases and attack actions from misuse cases) and test oracles from mitigation use cases. We have applied the approach to two case studies. One case study demonstrates that the proposed approach can build security test models in a structured fashion such that the generated security tests are as effective as reported in the literature. The second case study applies the proposed approach to an ongoing software development project. The security tests have revealed at least 24 vulnerabilities, and are very helpful for the development team to improve the security of the software implementation. This demonstrates that the proposed approach is effective in the software development process.
Khamaisech, Samer and Xu, Dianxiang. (2017). "Software Security Testing via Misuse Case Modeling". 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing, 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing, 2017 IEEE 3rd International Conference on Big Data Intelligence and Computing , 2017 IEEE Cyber Science and Technology Congress: DASC-PICom-DataCom-CyberSciTec 2017, 534-541. http://dx.doi.org/10.1109/DASC-PICom-DataCom-CyberSciTec.2017.98