Security Testing [chapter]

Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, Alexander Pretschner
<span title="">2016</span> <i title="Elsevier"> <a target="_blank" rel="noopener" href="" style="color: black;">Advances in Computers</a> </i> &nbsp;
Reuse This article is distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs (CC BY-NC-ND) licence. This licence only allows you to download this work and share it with others as long as you credit the authors, but you can't change the article in any way or use it commercially. More information and the full terms of the licence here: Takedown If you consider content in White Rose Research Online to be in breach of UK law,
more &raquo; ... se notify us by emailing including the URL of the record and the reason for the withdrawal request. c 2016 Elsevier. This is the author's version of the work. It is posted at abstract/felderer.ea-security-testing-2016 by permission of Elsevier for your personal use. Not for redistribution. The definitive version was published in Abstract Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application. Software Testing According to the classic definition in software engineering [17] , software testing consists of the dynamic verification that a program provides expected behaviors on a finite set of test cases, a so called test suite, suitably selected from the usually infinite execution domain. This dynamic notion of testing, so called dynamic testing, evaluates software by observing its execution [4]. The executed system is called system under test (SUT). More general notions of testing [69] consist of all lifecycle activities, both static and dynamic, concerned with evaluation of software products and related artifacts to determine that they satisfy specified requirements, to demonstrate that they are fit for purpose and to detect defects. This definition also takes static testing into account, which checks software development artifact (e.g., requirements, design or code) without execution of these artifacts. The most prominent static testing approaches are (manual) reviews and (automated) static analysis, which are often combined with dynamic
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="">doi:10.1016/bs.adcom.2015.11.003</a> <a target="_blank" rel="external noopener" href="">fatcat:gdd4ggwo6vcrjosp2nx63kp5mu</a> </span>
<a target="_blank" rel="noopener" href="" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href=""> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> </button> </a>