The Forth International Workshop onSecurity Testing (SECTEST 2013)

Keqin LiSAP Research, France

Keqin.Li@sap.com

Wissam MallouliMontimage, France

Wissam.Mallouli@montimage.com

Abstract—To improve software security, several techniques,including vulnerability modelling and security testing, have beendeveloped but the problem remains unsolved. On one hand, theSECTEST workshop tries to answer how vulnerability modellingcan help users understand the occurrence of vulnerabilities soto avoid them, and what the advantages and drawbacks of theexisting models are to represent vulnerabilities. At the same time,the workshop tries to understand how to solve the challengingsecurity testing problem given that testing the mere functionalityof a system alone is already a fundamentally critical task,how security testing is different from and related to classicalfunctional testing, and how to assess the quality of securitytesting. The objective of this workshop is to share ideas, methods,techniques, and tools about vulnerability modelling and securitytesting to improve the state of the art.

I. THEME, GOALS AND TOPICS OF THE WORKSHOP

The goal of SECTEST workshop is to provide a forum

for security testing practitioners and researchers to exchange

ideas, perspectives on problems, and solutions. We welcome

both papers proposing novel models, methods, and algorithms,

and papers reporting experiences on the application of existing

methods on case studies and industrial examples. The topics

of interest include but are not restricted to:

• network security testing

• application security testing

• security requirements definition and modelling

• security and vulnerability modelling

• runtime monitoring of security-relevant applications

• security testing of legacy systems

• cost effectiveness issues

• comparisons between security-by-design and formal ana-

lyses

• formal techniques for security testing and validation

• security test generation and oracle derivation

• specifying testable security constraints

• test automation

• penetration testing

• regression testing for security

• robustness and fault tolerance to attacks

• test-driven diagnosis of security weaknesses

• process and models for designing and testing secure

system

• when to perform security analysis and testing

• “white box” security testing techniques

• compile time fault detection and program verification

• tools and case studies

• industrial experience reports

The workshop topic is very interesting for members of the

ICST community since it deals with testing, verification and

validation methodologies mainly oriented to the security field.

The SECTEST workshop is a follow-up and combina-

tion of the First International Workshop on Security Testing

(SECTEST 20081) and the First International Workshop on

Modelling and Detection of Vulnerabilities (MDV 20102).

The Second International Workshop on Security Testing

(SECTEST 20113) was organized in conjunction with the

IEEE International Conference on Software Testing, Verifica-

tion and Validation (ICST 20114). It was held in Berlin, Ger-

many on March 25th 2011. The Third International Workshop

on Security Testing (SECTEST 20125) was also organized

in conjunction with the IEEE International Conference on

Software Testing, Verification and Validation (ICST 20126).

It was held in Montreal, Canada on April 21th 2012.

II. WORKSHOP ORGANIZING COMMITTEE

The workshop organizing committee is composed of Keqin

Li and Wissam Mallouli.

1) Keqin Li: Dr. Keqin Li received his Ph.D. in Computer

Software and Theory from Peking University, China. Before

joining SAP Research, he was a researcher in Bell Labs

Research China, Lucent Technologies, and a post-doc in

Grenoble Universities. His research interests include security

engineering, and software and security testing, and he has

published various scientific publications in his area of interest.

He was one of the organizers of MIIT 2010 and SECTEST

2011 and 2012.

2) Wissam Mallouli: Dr. Wissam Mallouli, senior R&D

engineer at Montimage, has graduated from the National

Institute of Telecommunication (INT) engineering school

in 2005. He received his Masters degree from Evry Val

d’Essonne University also in 2005 and his PhD in computer

science from Telecom and Management SudParis (France)

in 2008. His topics of interest cover formal security testing

1SECTEST 2008: http://www.inf.ethz.ch/personal/pretscha/events/sectest08/2MDV 2010: http://shields-project.eu/?q=node/623SECTEST 2011: http://www.avantssar.eu/sectest20114ICST 2011: http://sites.google.com/site/icst20115SECTEST 2012: http://www.spacios.eu/sectest2012/6ICST 2012: http://icst2012.soccerlab.polymtl.ca/Content/home/index.php

2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops

978-0-7695-4993-4/13 $26.00 © 2013 IEEE

DOI 10.1109/ICSTW.2013.66

433

of critical systems and distributed networks. Dr. Wissam

Mallouli is expert in testing methodologies. He has a strong

background in monitoring and testing network security

(protocols and equipment). He also has a solid experience

in project and R&D management. He is involved in several

projects such as the FP6/FP7 IST calls, CELTIC, ITEA

projects and national ones. He also participates to the

program committees of numerous national and international

conferences. He published more than 20 papers in conference

proceedings, books and journals. He was one of the organizers

of MDV 2010, SETOP 2010, SECTEST 2011 and SECTEST

2012.

III. WORKSHOP PROGRAMM COMMITTEE

• Paul Ammann (George Mason University, USA)

• Alessandra Bagnato (TXT e-solutions, Corporate Re-

search Division, Italy)

• Ruth Breu (University of Innsbruck, Austria)

• Achim Brucker (SAP Research, Germany)

• Frederic Cuppens (Telecom Bretagne, France)

• Khaled El Fakih (American University of Sharjah, UAE)

• Ylies Falcone (Grenoble University, France)

• Daniel Faigin (The Aerospace Corporation, USA)

• Roland Groz (Grenoble University, France)

• Bruno Legeard (Smartesting, France)

• Keqin Li (SAP Research, France; co-chair)

• Lijun Liu (China Mobile Research Institute, China)

• Wissam Mallouli (Montimage, France; co-chair)

• Jun Pang (University of Luxembourg, Luxembourg)

• Nahid Shahmehri (Linkopings University, Sweden)

• Luca Vigano (University of Verona, Italy)

• Bachar Wehbi (Montimage, France)

• Nina Yevtushenko (Tomsk State University, Russia)

IV. WORKSHOP STEERING COMMITTEE

The workshop steering committee is composed of:

• Alessandro Armando (University of Genova, Italy)

• Ana Cavalli (Telecom SudParis, France)

• Jorge Cuellar (Siemens, Germany)

• Alexander Pretschner (KIT, Germany)

• Yves Le Traon (University of Luxembourg, Luxembourg)

V. INVITED TALK

Speaker: Prof. Yves Le Traon (University of Luxembourg)

Title: Security testing: a key challenge for software enginee-

ring of web apps.

While important efforts are dedicated to system functional

testing, very few works study how to specifically and sys-

tematically test security mechanisms. In this talk, Prof. Yves

Le Traon presented two categories of approaches:

The first ones aimed at assessing security mechanisms com-

pliance with declared policies. Any security policy is strongly

connected to system functionality: testing function includes

exercising many security mechanisms. However, testing func-

tionality does not intend at exercizing all security mechanisms.

Test selection criteria are thus proposed to produce tests from a

security policy. Empirical results were presented about access

control policies and about Android apps permission checks.

The second ones concerned the attack surface of web apps,

with a particular focus on web browser sensitivity to XSS

attacks. Indeed, one of the major threats against web applica-

tions is Cross-Site Scripting (XSS) that crosses several web

components: web server, security components and finally the

client’s web browser. The final target is thus the client running

a particular web browser. During this last decade, several

competing web browsers (IE, Netscape, Chrome, Firefox)

have been upgraded to add new features for the final users

benefit. However, the improvement of web browsers is not

related with systematic security regression testing. Beginning

with an analysis of their current exposure degree to XSS,

we extend the empirical study to a decade of most popular

web browser versions. The results reveal a chaotic behavior in

the evolution of most web browsers attack surface over time.

This particularly shows an urgent need for regression testing

strategies to ensure that security is not sacrificed when a new

version is delivered. In both cases, security must become a

specific target for testing in order to get a satisfying level of

confidence in security mechanisms.

VI. THE EVENT

The SECTEST workshop was successful and had one of

the highest submissions and attendance rates compared to the

other ICST conferences workshops. Submissions were from

different countries (France, Austria, Finland, Germany, India,

Netherlands, Japan and UK). The quality of accepted papers

was high which attracted around 30 participants to attend the

workshop. There were comments from audience saying that

the topic of the workshop was interesting and that they were

willing to submit to the next workshop manifestation in 2014

in USA.

434