A threat model-driven security testing approach for web application

Abstract

Web applications have been playing a more and more essential role in daily life; hence, the problem of security is gaining more focus, and consequently a great deal of research on web application security testing has been developed. Among them, however, the most have been concentrated on the testing procedure arranged after the completion of the implementation process. In this paper, we propose a threat model-driven security testing approach for detecting threats, which consists of four activities: building threat tree, according to the attack pattern, against the threats web applications may confront; deriving a security testing sequence from thread model; deriving security testing data from UML sequence diagram parameters for extracting test inputs; generating executable security test case. Also, we proposed an algorithm for generating security testing sequences and conducted an empirical study to show the feasibility and effectiveness of our approach. © 2012 Springer-Verlag Berlin Heidelberg.