Limits...
Risk-driven security testing using risk analysis with threat modeling approach.

Palanivel M, Selvadurai K - Springerplus (2014)

Bottom Line: Threat modeling approach is identifying threats associated with the system.Risk-driven security testing results in reduced test suite which in turn reduces test case selection time.The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

View Article: PubMed Central - PubMed

Affiliation: Department of Information Technology, Pondicherry Engineering College, Puducherry, India.

ABSTRACT
Security testing is a process of determining risks present in the system states and protects them from vulnerabilities. But security testing does not provide due importance to threat modeling and risk analysis simultaneously that affects confidentiality and integrity of the system. Risk analysis includes identification, evaluation and assessment of risks. Threat modeling approach is identifying threats associated with the system. Risk-driven security testing uses risk analysis results in test case identification, selection and assessment to prioritize and optimize the testing process. Threat modeling approach, STRIDE is generally used to identify both technical and non-technical threats present in the system. Thus, a security testing mechanism based on risk analysis results using STRIDE approach has been proposed for identifying highly risk states. Risk metrics considered for testing includes risk impact, risk possibility and risk threshold. Risk threshold value is directly proportional to risk impact and risk possibility. Risk-driven security testing results in reduced test suite which in turn reduces test case selection time. Risk analysis optimizes the test case selection and execution process. For experimentation, the system models namely LMS, ATM, OBS, OSS and MTRS are considered. The performance of proposed system is analyzed using Test Suite Reduction Rate (TSRR) and FSM coverage. TSRR varies from 13.16 to 21.43% whereas FSM coverage is achieved up to 91.49%. The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

No MeSH data available.


EFSM for Online Shopping System (OSS).
© Copyright Policy - open-access
Related In: Results  -  Collection

License
getmorefigures.php?uid=PMC4320241&req=5

Fig11: EFSM for Online Shopping System (OSS).

Mentions: OSSThe EFSM representation of OSS consists of 8 states and 14 transitions shown in FigureĀ 11. OSS allows the user to buy electronics accessories, household accessories and other miscellaneous products over internet. A user needs to create an account to purchase products. The user may use the same account for future purchases. For every login, the user may purchase to a maximum of 3 products. The payment might be online payment or cash on delivery.


Risk-driven security testing using risk analysis with threat modeling approach.

Palanivel M, Selvadurai K - Springerplus (2014)

EFSM for Online Shopping System (OSS).
© Copyright Policy - open-access
Related In: Results  -  Collection

License
Show All Figures
getmorefigures.php?uid=PMC4320241&req=5

Fig11: EFSM for Online Shopping System (OSS).
Mentions: OSSThe EFSM representation of OSS consists of 8 states and 14 transitions shown in FigureĀ 11. OSS allows the user to buy electronics accessories, household accessories and other miscellaneous products over internet. A user needs to create an account to purchase products. The user may use the same account for future purchases. For every login, the user may purchase to a maximum of 3 products. The payment might be online payment or cash on delivery.

Bottom Line: Threat modeling approach is identifying threats associated with the system.Risk-driven security testing results in reduced test suite which in turn reduces test case selection time.The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

View Article: PubMed Central - PubMed

Affiliation: Department of Information Technology, Pondicherry Engineering College, Puducherry, India.

ABSTRACT
Security testing is a process of determining risks present in the system states and protects them from vulnerabilities. But security testing does not provide due importance to threat modeling and risk analysis simultaneously that affects confidentiality and integrity of the system. Risk analysis includes identification, evaluation and assessment of risks. Threat modeling approach is identifying threats associated with the system. Risk-driven security testing uses risk analysis results in test case identification, selection and assessment to prioritize and optimize the testing process. Threat modeling approach, STRIDE is generally used to identify both technical and non-technical threats present in the system. Thus, a security testing mechanism based on risk analysis results using STRIDE approach has been proposed for identifying highly risk states. Risk metrics considered for testing includes risk impact, risk possibility and risk threshold. Risk threshold value is directly proportional to risk impact and risk possibility. Risk-driven security testing results in reduced test suite which in turn reduces test case selection time. Risk analysis optimizes the test case selection and execution process. For experimentation, the system models namely LMS, ATM, OBS, OSS and MTRS are considered. The performance of proposed system is analyzed using Test Suite Reduction Rate (TSRR) and FSM coverage. TSRR varies from 13.16 to 21.43% whereas FSM coverage is achieved up to 91.49%. The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

No MeSH data available.