Modeling and Testing Secure Web-Based Systems: Application to an Industrial Case Study

Ensuring that a Web-based system respects its security requirements is a critical issue that has become more and more difficult to perform in these last years. This difficulty is due to the complexity level of such systems as well as their variety and increasing distribution. To guarantee such a respect, we need to test the target Web system by applying a complete set of test cases covering all the possible scenarios. To reach this aim, we first specify the Web system behavior from its functional point of view using IF language. Second, this model is augmented by applying a set of dedicated algorithms to integrate timed security properties specified in Nomad language. This language is well adapted to express security properties with time constraints. Then, we use a dedicated tool called TestGen-IF, to perform an automatic test generation of test cases targeting security purposes. These test sequences are transformed in executable test cases that can be applied on a real Web application. We present in this paper an industrial Web-based system provided by France Telecom as a case study to demonstrate the reliability of our framework.