Limits...
Risk-driven security testing using risk analysis with threat modeling approach.

Palanivel M, Selvadurai K - Springerplus (2014)

Bottom Line: Threat modeling approach is identifying threats associated with the system.Risk-driven security testing results in reduced test suite which in turn reduces test case selection time.The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

View Article: PubMed Central - PubMed

Affiliation: Department of Information Technology, Pondicherry Engineering College, Puducherry, India.

ABSTRACT
Security testing is a process of determining risks present in the system states and protects them from vulnerabilities. But security testing does not provide due importance to threat modeling and risk analysis simultaneously that affects confidentiality and integrity of the system. Risk analysis includes identification, evaluation and assessment of risks. Threat modeling approach is identifying threats associated with the system. Risk-driven security testing uses risk analysis results in test case identification, selection and assessment to prioritize and optimize the testing process. Threat modeling approach, STRIDE is generally used to identify both technical and non-technical threats present in the system. Thus, a security testing mechanism based on risk analysis results using STRIDE approach has been proposed for identifying highly risk states. Risk metrics considered for testing includes risk impact, risk possibility and risk threshold. Risk threshold value is directly proportional to risk impact and risk possibility. Risk-driven security testing results in reduced test suite which in turn reduces test case selection time. Risk analysis optimizes the test case selection and execution process. For experimentation, the system models namely LMS, ATM, OBS, OSS and MTRS are considered. The performance of proposed system is analyzed using Test Suite Reduction Rate (TSRR) and FSM coverage. TSRR varies from 13.16 to 21.43% whereas FSM coverage is achieved up to 91.49%. The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

No MeSH data available.


Overall system design.
© Copyright Policy - open-access
Related In: Results  -  Collection

License
getmorefigures.php?uid=PMC4320241&req=5

Fig3: Overall system design.

Mentions: Risk Analysis is carried out for each state based on threats and their risk values. The risks associated with various threats are identified using risk parameters like Risk possibility, Risk threshold and Risk impact. Based on Risk Analysis results, the more vulnerable test cases are identified. The overall system design is shown in FigureĀ 3.


Risk-driven security testing using risk analysis with threat modeling approach.

Palanivel M, Selvadurai K - Springerplus (2014)

Overall system design.
© Copyright Policy - open-access
Related In: Results  -  Collection

License
Show All Figures
getmorefigures.php?uid=PMC4320241&req=5

Fig3: Overall system design.
Mentions: Risk Analysis is carried out for each state based on threats and their risk values. The risks associated with various threats are identified using risk parameters like Risk possibility, Risk threshold and Risk impact. Based on Risk Analysis results, the more vulnerable test cases are identified. The overall system design is shown in FigureĀ 3.

Bottom Line: Threat modeling approach is identifying threats associated with the system.Risk-driven security testing results in reduced test suite which in turn reduces test case selection time.The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

View Article: PubMed Central - PubMed

Affiliation: Department of Information Technology, Pondicherry Engineering College, Puducherry, India.

ABSTRACT
Security testing is a process of determining risks present in the system states and protects them from vulnerabilities. But security testing does not provide due importance to threat modeling and risk analysis simultaneously that affects confidentiality and integrity of the system. Risk analysis includes identification, evaluation and assessment of risks. Threat modeling approach is identifying threats associated with the system. Risk-driven security testing uses risk analysis results in test case identification, selection and assessment to prioritize and optimize the testing process. Threat modeling approach, STRIDE is generally used to identify both technical and non-technical threats present in the system. Thus, a security testing mechanism based on risk analysis results using STRIDE approach has been proposed for identifying highly risk states. Risk metrics considered for testing includes risk impact, risk possibility and risk threshold. Risk threshold value is directly proportional to risk impact and risk possibility. Risk-driven security testing results in reduced test suite which in turn reduces test case selection time. Risk analysis optimizes the test case selection and execution process. For experimentation, the system models namely LMS, ATM, OBS, OSS and MTRS are considered. The performance of proposed system is analyzed using Test Suite Reduction Rate (TSRR) and FSM coverage. TSRR varies from 13.16 to 21.43% whereas FSM coverage is achieved up to 91.49%. The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

No MeSH data available.