UTHM Institutional Repository

Moth: a hybrid threat model for improving software security testing

Omotunde, Habeeb Olodapo (2018) Moth: a hybrid threat model for improving software security testing. Doctoral thesis, Universiti Tun Hussein Onn Malaysia.

[img]
Preview
Text
MOTH A HYBRID THREAT MODEL FOR IMPROVING SOFTWARE SECURITY TESTING.pdf

Download (339kB) | Preview

Abstract

As SQL injection attack (SQLIA) continues to threaten web applications despite several techniques recommended to prevent it, a Hybrid Threat Modeling strategy was adopted in this research due to its proactive approach to risk mitigation in web applications. This involved the combination of 3 threat modeling techniques namely misuse cases, attack trees and finite state machines in order to harness their individual strengths to design a Hybrid Threat Modeling framework and tool called MOTH (Modeling Threats using Hybrid techniques). Using the MOTH tool developed using Eclipse rich client platform, experimental results with an e-commerce web application downloaded from GitHub namely BodgeIt store shows an improved SQL injection vulnerability detection rate of 13.33% in comparison to a commercial tool, IBM AppScan. Further benchmarking of MOTH with respect to SQL injection vulnerability detection in both BodgeIT store and IBM’s Altoro Mutual online banking application shows it is 30.6% more effective over AppScan. Relative to other threat modeling tools, MOTH was able to realize a 41.7% optimization of attack paths required to design effective test plans and test cases for the recommendation of efficient security requirements needed to prevent SQL injection attacks. A 100% risk mitigation was achieved after applying these recommendations due to a complete security test coverage of all test cases during the experiment as all test cases successfully exposed the inherent security mutants in the AUT. These results show that MOTH is a more suitable hybrid threat modeling tool for preventing poor specifications that expose web applications to SQL injection attacks.

Item Type: Thesis (Doctoral)
Subjects: H Social Sciences > HV Social pathology. Social and public welfare
Divisions: Faculty of Computer Science and Information Technology > Department of Information Security
Depositing User: Sabarina Che Mat
Date Deposited: 29 Feb 2020 12:06
Last Modified: 29 Feb 2020 12:06
URI: http://eprints.uthm.edu.my/id/eprint/12176
Statistic Details: View Download Statistic

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year