Improving Penetration Testing Methodologies for Security-Based Risk Assessment

Joel Dawson, J. Todd McDonald

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

6 Scopus citations

Abstract

The crisis of insecure software has resulted in a drastic increase in the frequency and impact of cyber attacks on businesses and individual users alike. The discipline of secure software engineering has evolved as a response to this trend, with the aim of producing software with fewer coding bugs or design flaws that result in exploitable vulnerabilities. However, secure software engineering is a young discipline, and many software artifacts in current use were created before, or in ignorance of, its development. Software practitioners would benefit greatly from a rigorous methodology for analyzing and validating software that has already entered its maintenance lifecycle. In this paper, we present a combined penetrating testing methodology that incorporates strengths of several existing approaches, with the goal to understand their utility and benefit for analyzing security of existing software programs. We exercise this methodology through a case study applied to a popular tool used by many network security practitioners: Wireshark. As a contribution, our study illustrates the benefits of a combined approach and outlines recommendations for a holistic method that will improve security-based risk assessment. Specifically, we show how application of rigorous test-driven threat modeling can produce better abuse cases, which can in turn be used to inform and more precisely define penetration testing activities.

Original languageEnglish
Title of host publicationProceedings - 2016 Cybersecurity Symposium, CYBERSEC 2016
EditorsDaniel Conte de Leon, Dilshani Sarathchandra, Kristin Haltinner, Kevin Chang, Francesco Mercaldo, Jia Song, Michael Haney, Jim Alves-Foss
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages51-58
Number of pages8
ISBN (Electronic)9781509057719
DOIs
StatePublished - Jul 2 2016
Externally publishedYes
Event3rd Cybersecurity Symposium, CYBERSEC 2016 - Coeur d'Alene, United States
Duration: Apr 18 2016Apr 20 2016

Publication series

NameProceedings - 2016 Cybersecurity Symposium, CYBERSEC 2016

Conference

Conference3rd Cybersecurity Symposium, CYBERSEC 2016
Country/TerritoryUnited States
CityCoeur d'Alene
Period04/18/1604/20/16

Keywords

  • Abuse cases
  • Academic case studies
  • Penetration testing
  • Risk assessment
  • Secure software engineering

Fingerprint

Dive into the research topics of 'Improving Penetration Testing Methodologies for Security-Based Risk Assessment'. Together they form a unique fingerprint.

Cite this