Welcome to the InfoSci Platform
Reference Hub1
An Evaluation of a Test-Driven Security Risk Analysis Approach Based on Two Industrial Case Studies

An Evaluation of a Test-Driven Security Risk Analysis Approach Based on Two Industrial Case Studies

Gencer Erdogan, Phu H. Nguyen, Fredrik Seehusen, Ketil Stølen, Jon Hofstad, Jan Øyvind Aagedal
Copyright: © 2019 |Pages: 35
ISBN13: 9781522563136|ISBN10: 152256313X|ISBN13 Softcover: 9781522586135|EISBN13: 9781522563143
DOI: 10.4018/978-1-5225-6313-6.ch004
Cite Chapter Cite Chapter

MLA

Erdogan, Gencer, et al. "An Evaluation of a Test-Driven Security Risk Analysis Approach Based on Two Industrial Case Studies." Exploring Security in Software Architecture and Design, edited by Michael Felderer and Riccardo Scandariato, IGI Global, 2019, pp. 69-103. https://doi.org/10.4018/978-1-5225-6313-6.ch004

APA

Erdogan, G., Nguyen, P. H., Seehusen, F., Stølen, K., Hofstad, J., & Aagedal, J. Ø. (2019). An Evaluation of a Test-Driven Security Risk Analysis Approach Based on Two Industrial Case Studies. In M. Felderer & R. Scandariato (Eds.), Exploring Security in Software Architecture and Design (pp. 69-103). IGI Global. https://doi.org/10.4018/978-1-5225-6313-6.ch004

Chicago

Erdogan, Gencer, et al. "An Evaluation of a Test-Driven Security Risk Analysis Approach Based on Two Industrial Case Studies." In Exploring Security in Software Architecture and Design, edited by Michael Felderer and Riccardo Scandariato, 69-103. Hershey, PA: IGI Global, 2019. https://doi.org/10.4018/978-1-5225-6313-6.ch004

Export Reference

Mendeley
Favorite

Abstract

Risk-driven testing and test-driven risk assessment are two strongly related approaches, though the latter is less explored. This chapter presents an evaluation of a test-driven security risk assessment approach to assess how useful testing is for validating and correcting security risk models. Based on the guidelines for case study research, two industrial case studies were analyzed: a multilingual financial web application and a mobile financial application. In both case studies, the testing yielded new information, which was not found in the risk assessment phase. In the first case study, new vulnerabilities were found that resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.

Request Access

You do not own this content. Please login to recommend this title to your institution's librarian or purchase it from the IGI Global bookstore.