Scope and depth efficient testing approach and framework for enhancing the detection of IT security bugs

Abstract

Due to the increased complexity of today's software systems, the attack surface and the likelihood of attacks increase. Security testing is an important task needed for developing robust and secure systems. At the same time, security testing is expensive because it is difficult to detect security failures and to decide if an observed behavior during security testing is indeed a security failure. To meet security requirements in IT infrastructures, a security engineering process has to be established. One crucial factor contributing to a higher level of security is to establish security tests. For detecting vulnerabilities two aspects are important for security tests. First, the failure has to be triggered by conducting simulated attacks at the interfaces of the specific software. Additionally, the behavior has to be determined as misbehavior. Our approach uses XML and XML schema definition as a common data format for describing different attack vectors in addition to a single generic algorithm in order to generate security-relevant test data to simulate attacks against the system under test. A common data format as the basis for describing test data and security attacks as well as transformations to support various formats ensures that the implementation of the generation logic for security test data is only needed once. To detect errors, we observe the behavior of the system under test and introduce machine learning methods based on derived metrics from the behavior as a generic method for different test targets which improves the accuracy of the security test result of the automated security testing approach. Security tests can uncover security failures which increases the quality of the software. A proper determination of security failures raises the acceptance of the method during the development lifecycle and the automation additionally reduces costs.<br />Increasing the level of security and meeting the security requirements of software projects ensures protecting valuable systems and information against attackers.