期刊名称:Journal of Theoretical and Applied Information Technology
印刷版ISSN:1992-8645
电子版ISSN:1817-3195
出版年度:2018
卷号:96
期号:17
出版社:Journal of Theoretical and Applied
摘要:Securing software assets via efficient test case management is an important task in order to realize business goals. Given the huge risks web applications face due to incessant cyberattacks, a proactive risk strategy such as threat modeling is adopted. It involves the use of attack trees for identifying software vulnerabilities at the earliest phase of software development which is critical to successfully protect these applications. Although, many researches have been dedicated to security testing with attack tree models, test case redundancy using this threat modeling technique has been a major issue faced leading to poor test coverage and expensive security testing exercises. This paper presents an attack tree modeling algorithm for deriving a minimal set of effective attack vectors required to test a web application for SQL injection vulnerabilities. By leveraging on the optimized attack tree algorithm used in this research work, the threat model produces efficient test plans from which adequate test cases are derived to ensure a secured web application is designed, implemented and deployed. The experimental result shows an average optimization rate of 41.67% from which 7 test plans and 13 security test cases were designed to mitigate all SQL injection vulnerabilities in the web application under test. A 100% security risk intervention of the web application was achieved with respect to preventing SQL injection attacks after applying all security recommendations from test case execution report.
