Limits...
Risk-driven security testing using risk analysis with threat modeling approach.

Palanivel M, Selvadurai K - Springerplus (2014)

Bottom Line: Threat modeling approach is identifying threats associated with the system.Risk-driven security testing results in reduced test suite which in turn reduces test case selection time.The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

View Article: PubMed Central - PubMed

Affiliation: Department of Information Technology, Pondicherry Engineering College, Puducherry, India.

ABSTRACT
Security testing is a process of determining risks present in the system states and protects them from vulnerabilities. But security testing does not provide due importance to threat modeling and risk analysis simultaneously that affects confidentiality and integrity of the system. Risk analysis includes identification, evaluation and assessment of risks. Threat modeling approach is identifying threats associated with the system. Risk-driven security testing uses risk analysis results in test case identification, selection and assessment to prioritize and optimize the testing process. Threat modeling approach, STRIDE is generally used to identify both technical and non-technical threats present in the system. Thus, a security testing mechanism based on risk analysis results using STRIDE approach has been proposed for identifying highly risk states. Risk metrics considered for testing includes risk impact, risk possibility and risk threshold. Risk threshold value is directly proportional to risk impact and risk possibility. Risk-driven security testing results in reduced test suite which in turn reduces test case selection time. Risk analysis optimizes the test case selection and execution process. For experimentation, the system models namely LMS, ATM, OBS, OSS and MTRS are considered. The performance of proposed system is analyzed using Test Suite Reduction Rate (TSRR) and FSM coverage. TSRR varies from 13.16 to 21.43% whereas FSM coverage is achieved up to 91.49%. The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

No MeSH data available.


Workflow diagram for threat modelling.
© Copyright Policy - open-access
Related In: Results  -  Collection

License
getmorefigures.php?uid=PMC4320241&req=5

Fig5: Workflow diagram for threat modelling.

Mentions: In the system model where all states and its corresponding transitions are known the data flow diagram based on the states and process is drawn which depicts the flow of data in current system shown in FigureĀ 5. It is used to identify the threats present in the system. STRIDE thread model identify six attacks namely Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. This model checks out of these attacks which one will be more prone to the system.Figure 5


Risk-driven security testing using risk analysis with threat modeling approach.

Palanivel M, Selvadurai K - Springerplus (2014)

Workflow diagram for threat modelling.
© Copyright Policy - open-access
Related In: Results  -  Collection

License
Show All Figures
getmorefigures.php?uid=PMC4320241&req=5

Fig5: Workflow diagram for threat modelling.
Mentions: In the system model where all states and its corresponding transitions are known the data flow diagram based on the states and process is drawn which depicts the flow of data in current system shown in FigureĀ 5. It is used to identify the threats present in the system. STRIDE thread model identify six attacks namely Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. This model checks out of these attacks which one will be more prone to the system.Figure 5

Bottom Line: Threat modeling approach is identifying threats associated with the system.Risk-driven security testing results in reduced test suite which in turn reduces test case selection time.The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

View Article: PubMed Central - PubMed

Affiliation: Department of Information Technology, Pondicherry Engineering College, Puducherry, India.

ABSTRACT
Security testing is a process of determining risks present in the system states and protects them from vulnerabilities. But security testing does not provide due importance to threat modeling and risk analysis simultaneously that affects confidentiality and integrity of the system. Risk analysis includes identification, evaluation and assessment of risks. Threat modeling approach is identifying threats associated with the system. Risk-driven security testing uses risk analysis results in test case identification, selection and assessment to prioritize and optimize the testing process. Threat modeling approach, STRIDE is generally used to identify both technical and non-technical threats present in the system. Thus, a security testing mechanism based on risk analysis results using STRIDE approach has been proposed for identifying highly risk states. Risk metrics considered for testing includes risk impact, risk possibility and risk threshold. Risk threshold value is directly proportional to risk impact and risk possibility. Risk-driven security testing results in reduced test suite which in turn reduces test case selection time. Risk analysis optimizes the test case selection and execution process. For experimentation, the system models namely LMS, ATM, OBS, OSS and MTRS are considered. The performance of proposed system is analyzed using Test Suite Reduction Rate (TSRR) and FSM coverage. TSRR varies from 13.16 to 21.43% whereas FSM coverage is achieved up to 91.49%. The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

No MeSH data available.