Moth: a hybrid threat model for improving software security testing

Omotunde, Habeeb Oladapo (2018) Moth: a hybrid threat model for improving software security testing. Doctoral thesis, Universiti Tun Hussein Onn Malaysia.


Download (339kB) | Preview
[img] Text (Copyright Declaration)
Restricted to Repository staff only

Download (11MB) | Request a copy
[img] Text (Full Text)
Restricted to Registered users only

Download (11MB) | Request a copy


As SQL injection attack (SQLIA) continues to threaten web applications despite several techniques recommended to prevent it, a Hybrid Threat Modeling strategy was adopted in this research due to its proactive approach to risk mitigation in web applications. This involved the combination of 3 threat modeling techniques namely misuse cases, attack trees and finite state machines in order to harness their individual strengths to design a Hybrid Threat Modeling framework and tool called MOTH (Modeling Threats using Hybrid techniques). Using the MOTH tool developed using Eclipse rich client platform, experimental results with an e-commerce web application downloaded from GitHub namely BodgeIt store shows an improved SQL injection vulnerability detection rate of 13.33% in comparison to a commercial tool, IBM AppScan. Further benchmarking of MOTH with respect to SQL injection vulnerability detection in both BodgeIT store and IBM’s Altoro Mutual online banking application shows it is 30.6% more effective over AppScan. Relative to other threat modeling tools, MOTH was able to realize a 41.7% optimization of attack paths required to design effective test plans and test cases for the recommendation of efficient security requirements needed to prevent SQL injection attacks. A 100% risk mitigation was achieved after applying these recommendations due to a complete security test coverage of all test cases during the experiment as all test cases successfully exposed the inherent security mutants in the AUT. These results show that MOTH is a more suitable hybrid threat modeling tool for preventing poor specifications that expose web applications to SQL injection attacks.

Item Type: Thesis (Doctoral)
Subjects: H Social Sciences > HV Social pathology. Social and public welfare > HV7231-9960 Criminal justice administration > HV8290-8291 Private security services
Divisions: Faculty of Computer Science and Information Technology > Department of Web Technology
Depositing User: Mrs. Sabarina Che Mat
Date Deposited: 06 Jul 2021 07:50
Last Modified: 06 Jul 2021 07:50

Actions (login required)

View Item View Item