Gencer Erdogan scite author profile

Gencer Erdogan

4Publications

65Citation Statements Received

357Citation Statements Given

How they've been cited

How they cite others

147

351

Affiliations

SINTEF, University of Oslo, Norwegian University of Science and Technology

Publications

Order By: Most citations

Approaches for the combined use of risk analysis and testing: a systematic literature review

Erdogan

Runde

et al. 2014

Int J Softw Tools Technol Transfer

View full text Add to dashboard Cite

The continuous increase of sophisticated cyber security risks exposed to the public, industry, and government through the web, mobile devices, social media, as well as targeted attacks via state-sponsored cyberespionage, clearly show the need for software security. Security testing is one of the most important practices to assure an acceptable level of security. However, security testers face the problem of determining the tests that are most likely to reveal severe security vulnerabilities. This is important in order to focus security testing on the most risky aspects of a system.In response to this challenge, the security testing community has proposed an approach to support security testing with security risk assessment (risk-driven security testing). In general, the purpose of risk-driven security testing is to focus the testing on the most severe security risks that the system under test is exposed to. However, current approaches carry out risk assessment at a high-level of abstraction (for example, business level) and then perform the testing accordingly. This is a disadvantage from a testing perspective because it leaves a gap between the risks and the test cases which are defined at a low-level of abstraction (for example, implementation level). This gap makes it difficult to identify exactly where in the system risks occur, and exactly how the risks should be tested. This also indicates that current approaches focus on risk-driven test planning at a high-level of abstraction for test management purposes, and do not necessarily focus on guiding the tester in designing test cases that have the ability to reveal vulnerabilities causing the most severe risks.This thesis proposes a model-based approach to risk-driven security testing, named CORAL, which is specifically developed to help security testers select and design test cases based on the available risk picture. The CORAL approach consists of seven steps supported by a risk analysis language. The risk analysis language is a modeling language based on UML interactions, and is formalized by an abstract syntax and a schematically defined natural-language semantics.As part of the development and evaluation process of the CORAL approach we carried out three industrial case studies. In the first two case studies, we investigated how risk assessment may be used to identify security test cases, as well as how security testing may be used to improve security risk analysis results. The experiences we obtained from these two industrial case studies helped us to, among other things, shape the CORAL approach. In the third case study we carried out the CORAL approach in an industrial setting in order to evaluate its applicability. The results indicate that CORAL supports security testers in producing risk models that are valid and directly testable. By directly testable risk models we mean risk models that can be reused and specified as test cases based on the interactions in the risk models. This, in turn, helps testers to select and design test cases according to t...

show abstract

Advances in Deployment and Orchestration Approaches for IoT - A Systematic Review

Nguyen¹,

Ferry²,

Erdogan³

et al. 2019

View full text Add to dashboard Cite

Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology

Erdogan

Meland

Mathieson

2010

View full text Add to dashboard Cite

A Systematic Mapping Study on Cyber Security Indicator Data

et al. 2021

View full text Add to dashboard Cite

A security indicator is a sign that shows us what something is like or how a situation is changing and can aid us in making informed estimations on cyber risks. There are many different breeds of security indicators, but, unfortunately, they are not always easy to apply due to a lack of available or credible sources of data. This paper undertakes a systematic mapping study on the academic literature related to cyber security indicator data. We identified 117 primary studies from the past five years as relevant to answer our research questions. They were classified according to a set of categories related to research type, domain, data openness, usage, source, type and content. Our results show a linear growth of publications per year, where most indicators are based on free or internal technical data that are domain independent. While these indicators can give valuable information about the contemporary cyber risk, the increasing usage of unconventional data sources and threat intelligence feeds of more strategic and tactical nature represent a more forward-looking trend. In addition, there is a need to take methods and techniques developed by the research community from the conceptual plane and make them practical enough for real-world application.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Gencer Erdogan

Approaches for the combined use of risk analysis and testing: a systematic literature review

Advances in Deployment and Orchestration Approaches for IoT - A Systematic Review

Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology

A Systematic Mapping Study on Cyber Security Indicator Data

Contact Info

Product

Resources

About