A model-driven penetration test framework for Web applications

Author

Xiong, Pulei ; Peyton, Liam

Author_Institution

SITE, Univ. of Ottawa, Ottawa, ON, Canada

fYear

2010

fDate

17-19 Aug. 2010

Firstpage

173

Lastpage

180

Abstract

Penetration testing is widely used to audit the security protection of Web applications. However, it is often performed by specialized security experts after development is completed and the application deployed into production. In this paper, we propose a model-driven penetration test framework for Web applications which provides a repeatable, systematic and cost-efficient approach fully integrated into a Security-Oriented Software Development Life Cycle. Security experts are still required to maintain knowledge used by the framework, but regular testing personnel are capable of creating, running and maintaining penetration test campaigns. A prototype of the framework has been implemented and applied to two Web applications: the benchmark WebGoat web application, and a hospital adverse event management system currently under development. A preliminary evaluation based on the prototype demonstrates the feasibility and efficiency of the proposed framework.

Keywords

Internet; security of data; software engineering; Web application; hospital adverse event management system; model driven penetration test; security expert; security oriented software development life cycle; security protection; Book reviews; Computer architecture; Databases; Knowledge engineering; Programming; Security; Testing; Model-Driven; Penetration Testing; Software Engineering; Web Security;

fLanguage

English

Publisher

ieee

Conference_Titel

Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on

Conference_Location

Ottawa, ON

Print_ISBN

978-1-4244-7551-3

Electronic_ISBN

978-1-4244-7549-0

Type

conf

DOI

10.1109/PST.2010.5593250

Filename

5593250