A set of preconditions, inputs (including actions, where applicable), and expected results, developed to drive the execution of a test item to meet test objectives, including correct implementation, error identification, checking quality, and other valued information. The terms test case and test are sometimes used interchangeably.
Published in Chapter:
An Evaluation of a Test-Driven Security Risk Analysis Approach Based on Two Industrial Case Studies
Gencer Erdogan (SINTEF Digital, Norway), Phu H. Nguyen (SINTEF Digital, Norway), Fredrik Seehusen (SINTEF Digital, Norway), Ketil Stølen (SINTEF Digital, Norway), Jon Hofstad (PWC, Norway), and Jan Øyvind Aagedal (Equatex, Norway)
Copyright: © 2019
|Pages: 35
DOI: 10.4018/978-1-5225-6313-6.ch004
Abstract
Risk-driven testing and test-driven risk assessment are two strongly related approaches, though the latter is less explored. This chapter presents an evaluation of a test-driven security risk assessment approach to assess how useful testing is for validating and correcting security risk models. Based on the guidelines for case study research, two industrial case studies were analyzed: a multilingual financial web application and a mobile financial application. In both case studies, the testing yielded new information, which was not found in the risk assessment phase. In the first case study, new vulnerabilities were found that resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.