Spelling suggestions: "subject:"2security testing"" "subject:"bsecurity testing""
1 |
Software Security Testing : A Flexible Architecture for Security TestingAndersson, Martin January 2008 (has links)
<p>Abstract: This thesis begins with briefly describing a few vulnerability classes that exist in today’s software. We then continue by describing how these vulnerabilities could be discovered through dynamic testing. Both general testing techniques and existent tools are mentioned.</p><p>The second half of this thesis present and evaluates a new flexible architecture. This new architecture has the ability to combine different approaches and create a more flexible environment from where the testing can be conducted. This new flexible architecture aims towards reducing maintenance and/or adaptation time for existing tools or frameworks. The architecture consists of a given set of plug-ins that can be easily replaced to adapt test as needed. We evaluate this architecture by implementing test plug-ins. We also use this architecture and a set of test plug-ins to generate a fuzzer targeted to test a known vulnerable server.</p>
|
2 |
Evaluation of the applicability of security testing techniques in continuous integration environmentsThulin, Pontus January 2015 (has links)
Agile development methodologies are becoming increasingly popular, especially in projects that develop web applications. However, incorporation of software security in lightweight approaches can be difficult. Using security testing techniques throughout a complete agile development process by running automated tests in continuous integration environments is one approach that strives to improve security in agile projects. Instead of performing security testing at the end of the development cycle, such methods enables early and continuous detection of security risks and vulnerabilities. The purpose of this thesis is to study how existing security testing techniques operate in continuous integration environments and what level of security they can help assure. The work is a qualitative analysis of dierent security testing techniques and evaluates how they technically fit into a continuous integration environment as well as how they adhere to agile principles. These techniques are also analyzed with the use of OWASP Top Ten to determine which security requirements they can verify. The outcome of the analysis is that no existing security testing technique is a perfect fit for usage in continuous integration testing. Each technique has its distinct advantages and drawbacks that should be taken into consideration when choosing a technique to work with in continuous integration environments.
|
3 |
A Framework for Software Security Testing and EvaluationDutta, Rahul Kumar January 2015 (has links)
Security in automotive industry is a thought of concern these days. As more smart electronic devices are getting connected to each other, the dependency on these devices are urging us to connect them with moving objects such as cars, buses, trucks etc. As such, safety and security issues related to automotive objects are becoming more relevant in the realm of internet connected devices and objects. In this thesis, we emphasize on certain factors that introduces security vulnerabilities in the implementation phase of Software Development Life Cycle (SDLC). Input invalidation is one of them that we address in our work. We implement a security evaluation framework that allows us to improve security in automotive software by identifying and removing software security vulnerabilities that arise due to input invalidation reasons during SDLC. We propose to use this framework in the implementation and testing phase so that the critical deficiencies of software in security by design issues could be easily addressed and mitigated.
|
4 |
Syntax-based Security Testing for Text-based Communication ProtocolsKam, Ben W. Y. 30 April 2010 (has links)
We introduce a novel Syntax-based Security Testing (SST) framework that uses a protocol specification to effectively perform security testing on text-based communication protocols. A protocol specification of a particular text-based protocol under-tested (TPUT) represents its syntactic grammar and static semantic contracts on the grammar. Mutators written in TXL break the syntactic and semantic constraints of the protocol specification to generate test cases. Different protocol specification testing strategies can be joined together to yield a compositional testing approach. SST is independent of any particular text-based protocols. The power of SST stems from the way it obtains test cases from the protocol specifications. We also use the robust parsing technique with TXL to parse a TPUT. SST has successfully revealed security faults in different text-based protocol applications such as web applications and kOganizer. We also demonstrate SST can mimic the venerable PROTOS Test-Suite: co-http-reply developed by University of Oulu. / Thesis (Ph.D, Computing) -- Queen's University, 2010-04-30 16:01:18.048
|
5 |
Software Security Testing : A Flexible Architecture for Security TestingAndersson, Martin January 2008 (has links)
Abstract: This thesis begins with briefly describing a few vulnerability classes that exist in today’s software. We then continue by describing how these vulnerabilities could be discovered through dynamic testing. Both general testing techniques and existent tools are mentioned. The second half of this thesis present and evaluates a new flexible architecture. This new architecture has the ability to combine different approaches and create a more flexible environment from where the testing can be conducted. This new flexible architecture aims towards reducing maintenance and/or adaptation time for existing tools or frameworks. The architecture consists of a given set of plug-ins that can be easily replaced to adapt test as needed. We evaluate this architecture by implementing test plug-ins. We also use this architecture and a set of test plug-ins to generate a fuzzer targeted to test a known vulnerable server.
|
6 |
Formal Methods and Tools for Testing Communication Protocol System SecurityShu, Guoqiang 29 July 2008 (has links)
No description available.
|
7 |
Functional and Security testing of a Mobile Application / Funktionell och säkerhetstestning av en mobil applikationSjöstrand, Johan, Westberg, Sara January 2017 (has links)
A mobile application has been developed to be used for assistance in crisis scenarios. To assure the application is dependable enough to be used in such scenarios, the application was put under test. This thesis investigates different approaches to functional testing and security testing. Five common methods of generating test cases for functional testing have been identified and four were applied on the application. The coverage achieved for each method was measured and compared. For this specific application under test, test cases from a method called decision table-testing scored the highest code coverage. 9 bugs related to functionality were identified. Fuzz testing is a simple security testing technique for efficiently finding security flaws, and was applied for security testing of our application. During the fuzz test, system security properties were breached. An unauthorized user could read and alter asset data, and it also affected the system's availability. Our overall conclusion was that with more time, creating functional tests for smaller components of the application might have been more effective in finding faults and achieving coverage.
|
8 |
Bezpečnost při vývoji softwaru / Security during the application developmentLapáček, Vladimír January 2010 (has links)
The topic of the thesis is issue of security during the application development. The main emphasis is being placed on web applications. The goal is to define a framework for managing the life cycle of applications to meet the security minimum. The objectives of the work are achieved by study of available resources and their subsequent analysis. The target audiences are software developers interested in learning more about how to create secure applications. The work describes the areas that are crucial for security of applications. Work contains security standards which we can use for defining security requirements of applications. Furthermore, there are mentioned the most serious security vulnerabilities and ways how to avoid them. It describes issue of security testing as an important tool for verifying security. The main part of work is the chapter dealing with the way how to include the issue of security throughout the application life cycle.
|
9 |
Secure Application Development / Static Application Security Testing (SAST)Alwan, Alaa January 2022 (has links)
Security testing is a widely applied measure to evaluate and improve software security by identifying vulnerabilities and ensuring security requirements related to properties like confidentiality, integrity, and availability. A confidentiality policy guarantees that attackers will not be able to expose secret information. In the context of software programs, the output that attackers observe will not carry any information about the confidential input information. Integrity is the dual of confidentiality, i.e., unauthorized and untrusted data provided to the system will not affect or modify the system’s data. Availability means that systems must be available at a reasonable time. Information flow control is a mechanism to enforce confidentiality and integrity. An accurate security assessment is critical in an age when the open nature of modern software-based systems makes them vulnerable to exploitation. Security testing that verifies and validates software systems is prone to false positives, false negatives, and other such errors, requiring more resilient tools to provide an efficient way to evaluate the threats and vulnerabilities of a given system. Therefore, the newly developed tool Reax controls information flow in Java programs by synthesizing conditions under which a method or an application is secure. Reax is a command-line application, and it is hard to be used by developers. This project has its primary goal to integrate Reax by introducing a plugin for Java IDEs to perform an advanced analysis of security flaws. Specifically, by design, a graphical plugin performs advanced security analysis that detects and reacts directly to security flaws within the graphical widget toolkit environment (SWT). The project proposed a new algorithm to find the root cause of security violations through a graphical interface as a second important goal. As a result, developers will be able to detect security violations and fix their code during the implementation phase, reducing costs.
|
10 |
Evaluating and comparing the web application security testing tools: Identifying and Applying Key MetricsThota, Sanmay Bhavanish, Vemula, Sai Ajit Jayasimha January 2024 (has links)
Background: Web application security (WAS) testing is crucial for protecting web applications from cyber threats. However, organizations often struggle to select effective WAS testing tools due to the lack of a well-defined set of evaluation criteria. This research aims to address this need by identifying the key metrics for evaluating and comparing WAS testing tools. Objectives: The primary objectives of this research are to identify the key metrics for comparing WAS testing tools, validate the significance of these metrics through semi-structured interviews, and perform a comparison between WAS testing tools using the validated metrics. This research aims to find a set of validated metrics for evaluating and comparing WAS testing tools. Methods: The research methodology consisted of three main phases: a literature review to compile a comprehensive set of technical and non-technical metrics commonly used for assessing and comparing WAS testing tools, semi-structured interviews with security experts to validate the significance of the identified metrics, and an experiment to compare three WAS testing tools - ZAP, Burp Suite, and Acunetix - using the OWASP Benchmark project. These three tools were selected based on the author’s recommendations in the literature. Results: The initial literature review found 37 evaluation metrics for WAS testing tools. Through interviews, experts confirmed some of these were important, but also said some were not very useful. The experts additionally suggested some new metrics that were not in the literature. Incorporating this feedback, the final list was refined down to 35 metrics for evaluating WAS testing tools. An experiment was then conducted to compare three WAS testing tools - ZAP, Burp Suite, and Acunetix with the test subject as the OWASP Benchmark Project and by using the validated set of metrics. The results of this experiment revealed differences in the performance of the tools, with Burp Suite emerging as the best performer. Conclusions: This research has provided a valid set of metrics for comparing and evaluating WAS testing tools, empowering organizations to make more informed decisions. Security professionals can optimise their WAS testing tool selection by understanding the key metrics and their relative significance, as established through the literature and interviews. Based on the experimental analysis, Burp Suite performed better than other tools. Therefore, for organizations initiating the selection process of the WAS testing tool, Burp Suite stands out as a good choice.
|
Page generated in 0.0701 seconds