A Formal Framework to Integrate Timed Security Rules within a TEFSM-Based System Specification

Mallouli, Wissam; Mammar, Amel; Cavalli, Ana

doi:10.1109/apsec.2009.52

Cited by 5 publications

(2 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Mallouli et al also proposed, in Mallouli et al (2008), a passive testing method which analyzes SOAP messages with XML sniffers to check whether a system respects a policy. In Mallouli et al (2009), a security testing method is described to test systems with timed security rules modelled with Nomad. The specification is augmented by means of specific algorithms for basic prohibition and obligation rules only.…”

Section: Web Services Security Overviewmentioning

confidence: 99%

See 1 more Smart Citation

A Guided Web Service Security Testing Method

Salva¹

2012

Emerging Informatics - Innovative Concepts and Applications

View full text Add to dashboard Cite

Section: Web Services Security Overviewmentioning

confidence: 99%

“…Our first motivation comes from the paper Mallouli et al (2009) which describes a testing method from Nomad rules. This one can handle basic rules composed of abstract actions only and can be applied on generic systems.…”

Section: Web Services Security Overviewmentioning

confidence: 99%

A Guided Web Service Security Testing Method

Salva¹

2012

Emerging Informatics - Innovative Concepts and Applications

View full text Add to dashboard Cite

Model-based security testing: a taxonomy and systematic classification

Felderer

Zech

Breu

et al. 2015

Softw. Test. Verif. Reliab.

View full text Add to dashboard Cite

Model-based security testing relies on models to test whether a software system meets its security requirements. It is an active research field of high relevance for industrial applications, with many approaches and notable results published in recent years. This article provides a taxonomy for model-based security testing approaches. It comprises filter criteria (i.e. model of system security, security model of the environment and explicit test selection criteria) as well as evidence criteria (i.e. maturity of evaluated system, evidence measures and evidence level). The taxonomy is based on a comprehensive analysis of existing classification schemes for model-based testing and security testing. To demonstrate its adequacy, 119 publications on model-based security testing are systematically extracted from the five most relevant digital libraries by three researchers and classified according to the defined filter and evidence criteria. On the basis of the classified publications, the article provides an overview of the state of the art in model-based security testing and discusses promising research directions with regard to security properties, coverage criteria and the feasibility and return on investment of model-based security testing. 120 M. FELDERER ET AL. 9126 [4] defining security as a functional quality characteristic. However, it seems desirable that security testing directly targets the previous security properties, as opposed to taking the detour of functional tests of security mechanisms. This view is supported by the ISO/IEC 25010 [2] standard that revises ISO/IEC 9126 and introduces security as a new quality characteristic that is not included in the characteristic functionality any more.Because the former kind of (non-functional) security properties describes all executions of a system, this kind of security testing is intrinsically hard. Because testing cannot show the absence of faults, an immediately useful perspective directly considers the violation of these properties. This has resulted in the development of specific testing techniques such as penetration testing that simulates attacks to exploit vulnerabilities. Penetration tests are difficult to craft because tests often do not directly cause observable security exploits, and because the testers must think like an attacker [5], which requires specific expertise. During penetration testing, testers build a mental model of security properties, security mechanisms and possible attacks against the system and its environment. It seems intuitive that security testing can benefit from specifying these security test models in an explicit and processable way. Security test models provide guidance for the systematic and effective specification and documentation of security test objectives and security test cases, as well as for their automated generation and evaluation.The variant of testing that relies on explicit models that encode information on the system under test and/or its environment is called model-based testing (MBT) [6,7]. Especially in ...

show abstract