DocumentCode :
708024
Title :
Security Threat Identification and Testing
Author :
Carbone, Roberto ; Compagna, Luca ; Panichella, Annibale ; Ponta, Serena Elisa
Author_Institution :
Security & Trust, FBK-Irst, Trento, Italy
fYear :
2015
fDate :
13-17 April 2015
Firstpage :
1
Lastpage :
8
Abstract :
Business applications are more and more collaborative (cross-domains, cross-devices, service composition). Security shall focus on the overall application scenario including the interplay between its entities/devices/services, not only on the isolated systems within it. In this paper we propose the Security Threat Identification And TEsting (STIATE) toolkit to support development teams toward security assessment of their under-development applications focusing on subtle security logic flaws that may go undetected by using current industrial technology. At design-time, STIATE supports the development teams toward threat modeling and analysis by identifying automatically potential threats (via model checking and mutation techniques) on top of sequence diagrams enriched with security annotations (including WHAT-IF conditions). At run-time, STIATE supports the development teams toward testing by exploiting the identified threats to automatically generate and execute test cases on the up and running application. We demonstrate the usage of the STIATE toolkit on an application scenario employing the SAML Single Sign-On multi-party protocol, a well-known industrial security standard largely studied in previous literature.
Keywords :
computer crime; program testing; program verification; SAML; STIATE toolkit; WHAT-IF conditions; business applications; design-time; development teams; industrial security standard; industrial technology; model checking; mutation techniques; security annotations; security assessment; security logic flaws; security threat identification and testing; sequence diagrams; single sign-on multiparty protocol; test cases; threat analysis; threat modeling; under-development applications; Authentication; Business; Engines; Protocols; Testing; Unified modeling language;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on
Conference_Location :
Graz
Type :
conf
DOI :
10.1109/ICST.2015.7102630
Filename :
7102630
Link To Document :
بازگشت