Omotunde, Habeeb and Ibrahim, Rosziati and Ahmed, Maryam (2018) An optimized attack tree model for security test case planning and generation. Journal of Theoretical and Applied Information Technology, 96 (17). pp. 5635-5649. ISSN 1817-3195
![[img]](http://eprints.uthm.edu.my/style/images/fileicons/text.png) |
Text
AJ 2018 (564).pdf Restricted to Registered users only Download (631kB) | Request a copy |
Abstract
Securing software assets via efficient test case management is an important task in order to realize business goals. Given the huge risks web applications face due to incessant cyberattacks, a proactive risk strategy such as threat modeling is adopted. It involves the use of attack trees for identifying software vulnerabilities at the earliest phase of software development which is critical to successfully protect these applications. Although, many researches have been dedicated to security testing with attack tree models, test case redundancy using this threat modeling technique has been a major issue faced leading to poor test coverage and expensive security testing exercises. This paper presents an attack tree modeling algorithm for deriving a minimal set of effective attack vectors required to test a web application for SQL injection vulnerabilities. By leveraging on the optimized attack tree algorithm used in this research work, the threat model produces efficient test plans from which adequate test cases are derived to ensure a secured web application is designed, implemented and deployed. The experimental result shows an average optimization rate of 41.67% from which 7 test plans and 13 security test cases were designed to mitigate all SQL injection vulnerabilities in the web application under test. A 100% security risk intervention of the web application was achieved with respect to preventing SQL injection attacks after applying all security recommendations from test case execution report.
| Item Type: | Article |
|---|---|
| Uncontrolled Keywords: | Security Testing; SQL injection; Attack trees; Threat Modeling; MOTH. |
| Subjects: | Q Science > QA Mathematics > QA71-90 Instruments and machines |
| Divisions: | Faculty of Computer Science and Information Technology > Department of Software Engineering |
| Depositing User: | UiTM Student Praktikal |
| Date Deposited: | 13 Jan 2022 07:23 |
| Last Modified: | 13 Jan 2022 07:23 |
| URI: | http://eprints.uthm.edu.my/id/eprint/5534 |
Actions (login required)
 |
View Item |