Abstract
A systematic integration of risk analysis and security testing allows for optimizing the test process as well as the risk assessment itself. The result of the risk assessment, i.e. the identified vulnerabilities, threat scenarios and unwanted incidents, can be used to guide the test identification and may complement requirements engineering results with systematic information concerning the threats and vulnerabilities of a system and their probabilities and consequences. This information can be used to weight threat scenarios and thus help identifying the ones that need to be treated and tested more carefully. On the other side, risk-based testing approaches can help to optimize the risk assessment itself by gaining empirical knowledge on the existence of vulnerabilities, the applicability and consequences of threat scenarios and the quality of countermeasures. This paper outlines a tool-based approach for risk-based security testing that combines the notion of risk-assessment with a pattern-based approach for automatic test generation relying on test directives and strategies and shows how results from the testing are systematically fed back into the risk assessment.
The research leading to these results has also received funding from the European Union’s Seventh Framework Programme (FP7/2007-2013) under grant agreements no 316853 and no 318786.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
International Organization for Standardization: ISO 31000 Risk management – Principles and guidelines (2009)
International Organization for Standardization: ISO Guide 73 Risk management – Vocabulary (2009)
Bouti, A., Kadi, D.A.: A state-of-the-art review of FMEA/FMECA. International Journal of Reliability, Quality and Safety Engineering 1, 515–543 (1994)
International Electrotechnical Commission: IEC 61025 Fault Tree Analysis (FTA) (1990)
International Electrotechnical Commission: IEC 60300-3-9 Dependability management – Part 3: Application guide – Section 9: Risk analysis of technological systems – Event Tree Analysis (ETA) (1995)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis – The CORAS Approach. Springer (2011)
Lund, M.S., Solhaug, B., Stølen, K.: Evolution in relation to risk and trust management. Computer 43(5), 49–55 (2010)
Kaiser, B., Liggesmeyer, P., Mäckel, O.: A new component concept for fault trees. In: 8th Australian Workshop on Safety Critical Systems and Software (SCS 2003), pp. 37–46. Australian Computer Society (2003)
Papadoupoulos, Y., McDermid, J., Sasse, R., Heiner, G.: Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure. Reliability Engineering and System Safety 71(3), 229–247 (2001)
Erdogan, G., Li, Y., Runde, R.K., Seehusen, F., Stølen, K.: Conceptual Framework for the DIAMONDS Project. Oslo (May 2012)
Erdogan, G., Seehusen, F., Stølen, K., Aagedal, J.: Assessing the usefulness of testing for validating the correctness of security risk models based on an industrial case study. In: Proc. Workshop on Quantitative Aspects in Security Assurance (QASA 2012), Pisa (2012)
Benet, A.F.: A risk driven approach to testing medical device software. In: Advances in Systems Safety, pp. 157–168. Springer (2011)
Kloos, J., Hussain, T., Eschbach, R.: Risk-based testing of safety-critical embedded systems driven by fault tree analysis. In: Software Testing, Verification and Validation Workshops (ICSTW 2011), pp. 26–33. IEEE (2011)
Viehmann, J.: Reusing Risk Analysis Results - An Extension for the CORAS Risk Analysis Method. In: 4th IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT 2012), Amsterdam, pp. 742–751. IEEE (2012)
Bach, G.J.: Heuristic Risk-Based Testing. Software Testing and Quality Engineering Magazine, 96–98 (November 1999)
Stallbaum, H., Metzger, A.: Employing Requirements Metrics for Automating Early Risk Assessment. In: Proceedings of the Workshop on Measuring Requirements for Project and Product Success, MeReP 2007, at Intl. Conference on Software Process and Product Measurement, Spain, pp. 1–12 (2007)
Stallbaum, H., Metzger, A., Pohl, K.: An Automated Technique for Risk-based Test Case Generation and Prioritization. In: Proceedings of 3rd Workshop on Automation of Software Test, AST 2008, Germany, pp. 67–70 (2008)
Bauer, T., et al.: From Requirements to Statistical Testing of Embedded Systems. In: Software Engineering for Automotive Systems (ICSE), pp. 3–10 (2007)
Zimmermann, F., Eschbach, R., Kloos, J., Bauer, T.: Risk-based Statistical Testing: A Refinement-based Approach to the Reliability Analysis of Safety-Critical Systems. In: Proceedings of the 12th European Workshop on Dependable Computing (EWDC), France (2009)
Chen, Y., Probert, R., Sims, P.: Specification-based Regression Test Selection with Risk Analysis. In: Proceedings of the 2002 conference of the Centre for Advanced Studies on Collaborative research (CASCON 2002), p. 1 (2002)
Object Management Group (OMG): UML Testing Profile, http://www.omg.org/spec/UTP
Utting, M., Legeard, B.: Practical Model-based testing – A Tools Approach. Elsevier (2007)
Smith, B.: Security Test Patterns (2008), http://www.securitytestpatterns.org/doku.php
Vouffo Feudjio, A.-G.: Initial security test patterns catalogue. DIAMONDS project deliverable D3.WP4.T1
MITRE: Common Attack Pattern Enumeration and Classification (2014), http://capec.mitre.org
MITRE: Common Weakness Enumeration (2014), http://cwe.mitre.org
International Organization for Standardization: ISO/IEC 29119-1 Systems and software engineering—Software testing—Part 1: Concepts and definitions (2013)
Felderer, M., Haisjackl, C., Breu, R., Motz, J.: Integrating manual and automatic risk assessment for risk-based testing. In: Biffl, S., Winkler, D., Bergsmann, J. (eds.) SWQD 2012. LNBIP, vol. 94, pp. 159–180. Springer, Heidelberg (2012)
Zech, P., et al.: Towards a model based security testing approach of cloud computing environments. In: 2012 IEEE Sixth International Conference on Software Security and Reliability Companion (SERE-C). IEEE (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Großmann, J., Schneider, M., Viehmann, J., Wendland, MF. (2014). Combining Risk Analysis and Security Testing. In: Margaria, T., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification and Validation. Specialized Techniques and Applications. ISoLA 2014. Lecture Notes in Computer Science, vol 8803. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45231-8_23
Download citation
DOI: https://doi.org/10.1007/978-3-662-45231-8_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-45230-1
Online ISBN: 978-3-662-45231-8
eBook Packages: Computer ScienceComputer Science (R0)