Initial Industrial Experience of Misuse Cases in Trade-Off Analysis
RE '02 Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering
Software Security: Building Security In
Software Security: Building Security In
Towards agile security in web applications
Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications
| Hi-index | 0.00 |
Selenium is a tool for creating and running automated web tests and is a good fit for agile projects where it can be used for creating acceptance tests corresponding to the web application's user stories. This demonstration will show how Selenium additionally can be leveraged to create security tests. First, we model security threats as misuse stories, similar to user stories except that we focus on illegal or non-normative use of the application. Subsequently, we create security tests in Selenium that manifest the misuse stories by exploiting vulner-abilities in the application. This approach can be seen as a contribution to strengthening the security focus in agile projects by trying to apply familiar agile concepts, methods, and tools to the security aspects of the application. We have found that several of the most common security vulnerabilities in web applications can be addressed with this approach, such as cross site scripting (XSS), broken authentication and access management, information leakage, and improper error handling. This demonstration will show examples of such vulnerabilities and corresponding tests, in addition to discussing the cases where there are shortcomings.