Source code-based software risk assessing

Wong, W. Eric; Qi, Yu; Cooper, Kendra M. L.

doi:10.1145/1066677.1067014

Cited by 16 publications

(14 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A different kind of approach is provided by Hosseingholizadeh [64] and Wong et al [162], which are based on automatic source code analysis. The approach by Wong et al [162] is one of the few ones which focus on test-driven risk analysis. Risk of code is described as the likelihood that a given function or block within source code contains a fault.…”

Section: Approaches Based On Automatic Source Code Analysismentioning

confidence: 99%

“…The approach suggested by Hosseingholizadeh [64] is based on the approach provided by Wong et al [162], but focuses on risk-driven testing aiming at test prioritization and optimization. More structural observations are added to the analysis process in the approach suggested by Wong et al [162], such that, for example, errors in loop conditions result in a higher risk for the affected code block.…”

Section: Approaches Based On Automatic Source Code Analysismentioning

confidence: 99%

“…The approaches by both Hosseingholizadeh [64] and Wong et al [162] are supported by prototype tools for automating the source code analysis. Even though the approach suggested by Wong et al [162] has been tested on a real program, where the program faults were found to be located in the blocks and functions identified as high risk, the authors are careful to conclude with respect to the generalizability of the results.…”

Section: Approaches Based On Automatic Source Code Analysismentioning

confidence: 99%

See 2 more Smart Citations

Approaches for the combined use of risk analysis and testing: a systematic literature review

Erdogan

Runde

et al. 2014

Int J Softw Tools Technol Transfer

View full text Add to dashboard Cite

The continuous increase of sophisticated cyber security risks exposed to the public, industry, and government through the web, mobile devices, social media, as well as targeted attacks via state-sponsored cyberespionage, clearly show the need for software security. Security testing is one of the most important practices to assure an acceptable level of security. However, security testers face the problem of determining the tests that are most likely to reveal severe security vulnerabilities. This is important in order to focus security testing on the most risky aspects of a system.In response to this challenge, the security testing community has proposed an approach to support security testing with security risk assessment (risk-driven security testing). In general, the purpose of risk-driven security testing is to focus the testing on the most severe security risks that the system under test is exposed to. However, current approaches carry out risk assessment at a high-level of abstraction (for example, business level) and then perform the testing accordingly. This is a disadvantage from a testing perspective because it leaves a gap between the risks and the test cases which are defined at a low-level of abstraction (for example, implementation level). This gap makes it difficult to identify exactly where in the system risks occur, and exactly how the risks should be tested. This also indicates that current approaches focus on risk-driven test planning at a high-level of abstraction for test management purposes, and do not necessarily focus on guiding the tester in designing test cases that have the ability to reveal vulnerabilities causing the most severe risks.This thesis proposes a model-based approach to risk-driven security testing, named CORAL, which is specifically developed to help security testers select and design test cases based on the available risk picture. The CORAL approach consists of seven steps supported by a risk analysis language. The risk analysis language is a modeling language based on UML interactions, and is formalized by an abstract syntax and a schematically defined natural-language semantics.As part of the development and evaluation process of the CORAL approach we carried out three industrial case studies. In the first two case studies, we investigated how risk assessment may be used to identify security test cases, as well as how security testing may be used to improve security risk analysis results. The experiences we obtained from these two industrial case studies helped us to, among other things, shape the CORAL approach. In the third case study we carried out the CORAL approach in an industrial setting in order to evaluate its applicability. The results indicate that CORAL supports security testers in producing risk models that are valid and directly testable. By directly testable risk models we mean risk models that can be reused and specified as test cases based on the interactions in the risk models. This, in turn, helps testers to select and design test cases according to t...

show abstract

Section: Approaches Based On Automatic Source Code Analysismentioning

confidence: 99%

Section: Approaches Based On Automatic Source Code Analysismentioning

confidence: 99%

Section: Approaches Based On Automatic Source Code Analysismentioning

confidence: 99%

See 1 more Smart Citation

Approaches for the combined use of risk analysis and testing: a systematic literature review

Erdogan

Runde

et al. 2014

Int J Softw Tools Technol Transfer

View full text Add to dashboard Cite

show abstract

“…Dwaikat [2005] provides material on trust assessment, which can be used to help determine a more quantitative and automated risk model. Wong [2005] provides another mechanism based on code assessment for risk evaluation. Xu [2005] provides a threat based model.…”

Section: Future Workmentioning

confidence: 99%

Enabling the adoption of aspects - testing aspects

Kumar¹,

Sosale²,

Konuganti³

et al. 2009

Proceedings of the 8th ACM International Conference on Aspect-Oriented Software Development

View full text Add to dashboard Cite

Aspect oriented programming (AOP) has started to achieve industry adoption for custom programs and some adoption in frameworks such as the Spring framework. Aspect oriented programming provides many benefits -it can increase the scope of concerns that can be captured cleanly, it has explicit language support, and the separation provided by AOP provides an elegant mechanism for custom solutions.In this paper we present a model for AOP testing. This includes a model for risk assessment, an associated fault model and AOP testing patterns. We also propose further opportunities for research in the area for automated AOP risk assessment and testing.At ApTSi TM (Applied Technology Solutions, Inc.) we have been applying AOP in the creation of our SOASense TM framework, and in our consulting engagements. We are seeing adoption typically in classical AOP areas such as Logging, Error Handling, Audit events, etc. In these scenarios, having a reliable AOP implementation is critical. For example, having an Audit event not occur for a service call due to a faulty join-point definition can have severe legal implications. We need a solution that provides reliability, is repeatable and enables us to assess risk.

show abstract

“…For implementation phase, this is where the coding is developed to meet the user's requirements. For RAVT, we proposed to use the same model as presented [9], which computed the risk in every block of a software application. This model is a combination of static and dynamic risk model collected based on the source code.…”

Section: Figure 3: Ravt Structured Chartmentioning

confidence: 99%

A visualization tool for risk assessment in software development

Sanusi

Mustafa

2008

2008 International Symposium on Information Technology

View full text Add to dashboard Cite

Software risk management is the practice of assessing and controlling risks that affects the software projects, process or products. Those who practice risk management agreed that it is must be performed regularly throughout the lifecycle of a software system. But one of the main challenges in dealing with software risks is to provide a visual risk assessment tool. This paper intends to report on the visualization tool development based on a traditional software development process model -"Waterfall Model". This paper also shows the proposed framework and structured approach for this tool. The objective of this research is to construct a visualization tool for software risk assessment for all phases in software development processes.

show abstract

Source code-based software risk assessing

Cited by 16 publications

References 17 publications

Approaches for the combined use of risk analysis and testing: a systematic literature review

Approaches for the combined use of risk analysis and testing: a systematic literature review

Enabling the adoption of aspects - testing aspects

A visualization tool for risk assessment in software development

Contact Info

Product

Resources

About