-
Pattern-driven and Model-based Vulnerability Testing in RASEN
Related work on vulnerability detection can be classified into two complementary categories: Static and Dynamic Analysis Security Testing, respectively SAST and DAST for short. On the one hand, SAST are white-box approaches including source, byte and object code scanners and static analysis techniques. On the other hand, DAST include black-box Web application scanners, fuzzing techniques and emerging model-based security testing approaches.
The RASEN project proposes an innovative risk-based testing approach, which focuses on DAST techniques, to generate security test cases using security test patterns selected from risk assessment. This testing approach, called Pattern-driven and Model-based Vulnerability Testing (PMVT for short) is depicted in the figure below. It integrates the tools of the project partners:
- CORAS [1] from SINTEF, to address risk assessment,
- CertifyIt [2] from Smartesting, to perform risk and model-based test generation,
- Fuzzino [3] from Fraunhofer FOKUS, to apply data fuzzing techniques.
Overall PMVT Security Testing Process
The process starts on the left with the risk model resulting from risk assessment. Hence, a CORAS risk model (in relation with associated generic test patterns and vulnerability catalogues) enables the selection and the prioritization of security test purposes. These provide the starting point for security test case derivation by providing information how appropriate security test cases can be created from risk analysis results. The test generation tool CertifyIt is then able to automatically generate test cases by combining the selected test purposes and a behavioral UML test model of the Web application under test. A dedicated DSML makes the design of the test model easier and less time consuming by providing all the needed abstraction to describe the structural entities and behaviors of the application under test.
The generated test cases, depicted by a UML sequence diagram, are next translated into a JUnit test suite, fuzzed to apply various attack vectors, and executed on the application under test. The test results are finally gathered to complement the risk picture, and a dashboard allows displaying test metrics. This tooled approach is currently experimented using the industrial case-studies proposed by the RASEN project partners InfoWorld and Evry. More details about this RASEN innovation can notably be found in [4].
References
- S. Lund, B. Solhaug, and K.Stølen. Model-Driven Risk Analysis: The CORAS Approach. 1st Edition. Springer Publishing Company, Incorporated (2011).
- Bernard, F. Bouquet, A. Charbonnier, B. Legeard, F. Peureux, M. Utting, and E. Torreborre. Model-based testing from UML models. Int. Workshop on Model-based Testing (MBT’2006), LNCS, vol. 94. pages 223–230. Dresden, Germany. October 2006. Springer.
- Fraunhofer FOKUS: Fuzzing library Fuzzino on Github (2013). [ONLINE] Available at: https://github.com/fraunhoferfokus/Fuzzino
- Botella, B. Legeard, F. Peureux, and A. Vernotte. Risk-Based Vulnerability Testing using Security Test Patterns. 6-th Int. Symposium on Leveraging Applications of Formal Methods, Verification and Validation (ISoLA’14), LNCS, vol. 8803, pages 337–352, Corfu, Greece, October 2014. Springer.
A contribution by Fabien Peureux, Smartesting.
23 Mar 2015 / rasen_adm / Comments Off
CRSTIP Web Tool AN INNOVATIVE MODELLING APPROACH FOR SOFTWARE COMPONENT TESTING AND RISK MANAGEMENT
