Title :
A model-driven penetration test framework for Web applications
Author :
Xiong, Pulei ; Peyton, Liam
Author_Institution :
SITE, Univ. of Ottawa, Ottawa, ON, Canada
Abstract :
Penetration testing is widely used to audit the security protection of Web applications. However, it is often performed by specialized security experts after development is completed and the application deployed into production. In this paper, we propose a model-driven penetration test framework for Web applications which provides a repeatable, systematic and cost-efficient approach fully integrated into a Security-Oriented Software Development Life Cycle. Security experts are still required to maintain knowledge used by the framework, but regular testing personnel are capable of creating, running and maintaining penetration test campaigns. A prototype of the framework has been implemented and applied to two Web applications: the benchmark WebGoat web application, and a hospital adverse event management system currently under development. A preliminary evaluation based on the prototype demonstrates the feasibility and efficiency of the proposed framework.
Keywords :
Internet; security of data; software engineering; Web application; hospital adverse event management system; model driven penetration test; security expert; security oriented software development life cycle; security protection; Book reviews; Computer architecture; Databases; Knowledge engineering; Programming; Security; Testing; Model-Driven; Penetration Testing; Software Engineering; Web Security;
Conference_Titel :
Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on
Conference_Location :
Ottawa, ON
Print_ISBN :
978-1-4244-7551-3
Electronic_ISBN :
978-1-4244-7549-0
DOI :
10.1109/PST.2010.5593250
