Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Combining risk analysis and security testing

: Großmann, Jürgen; Schneider, Martin; Viehmann, Johannes; Wendland, Marc-Florian


Margaria-Steffen, T. (Ed.):
Leveraging applications of formal methods, verification and validation. Specialized techniques and applications. 6th international symposium, ISoLA 2014. Vol.2 : Imperial, Corfu, Greece, October 8-11, 2014; Proceedings
Berlin: Springer, 2014 (Lecture Notes in Computer Science 8803)
ISBN: 978-3-662-45230-1 (Print)
ISBN: 978-3-662-45231-8 (Online)
ISBN: 3-662-45230-8
International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (ISoLA) <6, 2014, Corfu>
International School on Tool-Based Rigorous Engineering of Software Systems (STRESS) <3, 2014, Corfu>
European Commission EC
FP7; 316853; RASEN
European Commission EC
FP7; 318786; MIDAS
Fraunhofer FOKUS ()

A systematic integration of risk analysis and security testing allows for optimizing the test process as well as the risk assessment itself. The result of the risk assessment, i.e. the identified vulnerabilities, threat scenarios and unwanted incidents, can be used to guide the test identification and may complement requirements engineering results with systematic information concerning the threats and vulnerabilities of a system and their probabilities and consequences. This information can be used to weight threat scenarios and thus help identifying the ones that need to be treated and tested more carefully. On the other side, risk-based testing approaches can help to optimize the risk assessment itself by gaining empirical knowledge on the existence of vulnerabilities, the applicability and consequences of threat scenarios and the quality of countermeasures. This paper outlines a tool-based approach for risk-based security testing that combines the notion of risk-assessment with a pattern-based approach for automatic test generation relying on test directives and strategies and shows how results from the testing are systematically fed back into the risk assessment.