Search-Based Application Security Testing: Towards a Structured Search Space

This position paper outlines a staged approach to search-based application security testing. In the first stage one searches for candidate tests in the input space that have a chance of leading to good security tests. In the second stage one selects individual candidates and uses them to select and parametrize specialized search techniques. This approach has its roots in exploratory security testing. In the first stage, the fitness of tests depends on their ability to provoke vulnerability symptoms at all, and on their relation to other tests in a test suite. In the second stage, the fittest tests are those that come closest to an exploit of a specific type of vulnerability. To evaluate the performance of such a staged approach one might use web application vulnerability scanners as a baseline.