An Alternative Threat Model-based Approach for Security Testing

An Alternative Threat Model-based Approach for Security Testing

Bouchaib Falah (School of Science and Engineering, Al Akhawayn University, Ifrane, Morocco), Mohammed Akour (Department of Computer Information Systems, Yarmouk University, Irbid, Jordan) and Samia Oukemeni (School of Science and Engineering, Al Akhawayn University, Ifrane, Morocco)
Copyright: © 2015 |Pages: 15
DOI: 10.4018/IJSSE.2015070103
OnDemand PDF Download:
No Current Special Offers


In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer from bad reputation. One of the effective mitigation practices is to perform security testing against the application before release it to the market. This solution won't protect web application 100% but it will test the application against malicious codes and reduce the high number of potential attacks on web application. One of known security testing approach is threat modeling, which provides an efficient technique to identify threats that can compromise system security. The authors proposed method, in this paper, focuses on improving the effectiveness of the categorization of threats by using Open 10 Web Application Security Project's (OWASP) that are the most critical web application security risks in generating threat trees in order to cover widely known security attacks.
Article Preview

2. Threat Modeling

Threat modeling is the process of identifying, analyzing, and mitigating security threats for a system (Swiderski, & Snyder, 2004). . In another word, threat modeling can be similar to miss-use case diagram, where a set of action can be performed in the intention to damage the system (Michael & Steve, 2008; Microsoft, 2015). Threat modeling iteratively evaluates and ranks the potential threats and the proper techniques for reducing threats (Microsoft, 2015).

Threat modeling helps to model the interactions between the various components of an application, in order to (PasGates, 2010):

  • Identify the information to protect;

  • Define authorization and authentication issues;

  • Define the external data input interfaces which will define the scope of tests to be performed;

  • Define possible attacks;

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing