By Topic

Mutation Analysis of Magento for Evaluating Threat Model-Based Security Testing

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Thomas, L. ; Nat. Center for the Protection of the Financial Infrastruct., Dakota State Univ. Madison, Madison, SD, USA ; Weifeng Xu ; Dianxiang Xu

Security testing is a major means for assuring software security and many security testing techniques have been developed in the past. Benchmarks, however, are in great demands for empirically evaluating the vulnerability detection capabilities of these techniques. To develop such a benchmark, this paper presents an approach to security mutation analysis of Magento, a fully-fledged open source e-commerce web application for evaluating automated security testing techniques. We create security mutants by injecting vulnerabilities in a systematic way. Specifically, we consider the causes of vulnerabilities according to OWASP's top 10 web application security risks, the application's business logic, as well as various consequences of vulnerabilities (i.e., STRIDE attacks). We have created 63 mutants and applied them successfully to the evaluation of two security testing techniques that use threat trees and threat nets as threat models for test generation. Our experiments show that these testing methods can kill most of the mutants but cannot detect the vulnerabilities that are not captured by the threat models.

Published in:

Computer Software and Applications Conference Workshops (COMPSACW), 2011 IEEE 35th Annual

Date of Conference:

18-22 July 2011