Click here to load reader
Upload
wissam
View
222
Download
7
Embed Size (px)
Citation preview
The Forth International Workshop onSecurity Testing (SECTEST 2013)
Keqin LiSAP Research, France
Wissam MallouliMontimage, France
Abstract—To improve software security, several techniques,including vulnerability modelling and security testing, have beendeveloped but the problem remains unsolved. On one hand, theSECTEST workshop tries to answer how vulnerability modellingcan help users understand the occurrence of vulnerabilities soto avoid them, and what the advantages and drawbacks of theexisting models are to represent vulnerabilities. At the same time,the workshop tries to understand how to solve the challengingsecurity testing problem given that testing the mere functionalityof a system alone is already a fundamentally critical task,how security testing is different from and related to classicalfunctional testing, and how to assess the quality of securitytesting. The objective of this workshop is to share ideas, methods,techniques, and tools about vulnerability modelling and securitytesting to improve the state of the art.
I. THEME, GOALS AND TOPICS OF THE WORKSHOP
The goal of SECTEST workshop is to provide a forum
for security testing practitioners and researchers to exchange
ideas, perspectives on problems, and solutions. We welcome
both papers proposing novel models, methods, and algorithms,
and papers reporting experiences on the application of existing
methods on case studies and industrial examples. The topics
of interest include but are not restricted to:
• network security testing
• application security testing
• security requirements definition and modelling
• security and vulnerability modelling
• runtime monitoring of security-relevant applications
• security testing of legacy systems
• cost effectiveness issues
• comparisons between security-by-design and formal ana-
lyses
• formal techniques for security testing and validation
• security test generation and oracle derivation
• specifying testable security constraints
• test automation
• penetration testing
• regression testing for security
• robustness and fault tolerance to attacks
• test-driven diagnosis of security weaknesses
• process and models for designing and testing secure
system
• when to perform security analysis and testing
• “white box” security testing techniques
• compile time fault detection and program verification
• tools and case studies
• industrial experience reports
The workshop topic is very interesting for members of the
ICST community since it deals with testing, verification and
validation methodologies mainly oriented to the security field.
The SECTEST workshop is a follow-up and combina-
tion of the First International Workshop on Security Testing
(SECTEST 20081) and the First International Workshop on
Modelling and Detection of Vulnerabilities (MDV 20102).
The Second International Workshop on Security Testing
(SECTEST 20113) was organized in conjunction with the
IEEE International Conference on Software Testing, Verifica-
tion and Validation (ICST 20114). It was held in Berlin, Ger-
many on March 25th 2011. The Third International Workshop
on Security Testing (SECTEST 20125) was also organized
in conjunction with the IEEE International Conference on
Software Testing, Verification and Validation (ICST 20126).
It was held in Montreal, Canada on April 21th 2012.
II. WORKSHOP ORGANIZING COMMITTEE
The workshop organizing committee is composed of Keqin
Li and Wissam Mallouli.
1) Keqin Li: Dr. Keqin Li received his Ph.D. in Computer
Software and Theory from Peking University, China. Before
joining SAP Research, he was a researcher in Bell Labs
Research China, Lucent Technologies, and a post-doc in
Grenoble Universities. His research interests include security
engineering, and software and security testing, and he has
published various scientific publications in his area of interest.
He was one of the organizers of MIIT 2010 and SECTEST
2011 and 2012.
2) Wissam Mallouli: Dr. Wissam Mallouli, senior R&D
engineer at Montimage, has graduated from the National
Institute of Telecommunication (INT) engineering school
in 2005. He received his Masters degree from Evry Val
d’Essonne University also in 2005 and his PhD in computer
science from Telecom and Management SudParis (France)
in 2008. His topics of interest cover formal security testing
1SECTEST 2008: http://www.inf.ethz.ch/personal/pretscha/events/sectest08/2MDV 2010: http://shields-project.eu/?q=node/623SECTEST 2011: http://www.avantssar.eu/sectest20114ICST 2011: http://sites.google.com/site/icst20115SECTEST 2012: http://www.spacios.eu/sectest2012/6ICST 2012: http://icst2012.soccerlab.polymtl.ca/Content/home/index.php
2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops
978-0-7695-4993-4/13 $26.00 © 2013 IEEE
DOI 10.1109/ICSTW.2013.66
433
of critical systems and distributed networks. Dr. Wissam
Mallouli is expert in testing methodologies. He has a strong
background in monitoring and testing network security
(protocols and equipment). He also has a solid experience
in project and R&D management. He is involved in several
projects such as the FP6/FP7 IST calls, CELTIC, ITEA
projects and national ones. He also participates to the
program committees of numerous national and international
conferences. He published more than 20 papers in conference
proceedings, books and journals. He was one of the organizers
of MDV 2010, SETOP 2010, SECTEST 2011 and SECTEST
2012.
III. WORKSHOP PROGRAMM COMMITTEE
• Paul Ammann (George Mason University, USA)
• Alessandra Bagnato (TXT e-solutions, Corporate Re-
search Division, Italy)
• Ruth Breu (University of Innsbruck, Austria)
• Achim Brucker (SAP Research, Germany)
• Frederic Cuppens (Telecom Bretagne, France)
• Khaled El Fakih (American University of Sharjah, UAE)
• Ylies Falcone (Grenoble University, France)
• Daniel Faigin (The Aerospace Corporation, USA)
• Roland Groz (Grenoble University, France)
• Bruno Legeard (Smartesting, France)
• Keqin Li (SAP Research, France; co-chair)
• Lijun Liu (China Mobile Research Institute, China)
• Wissam Mallouli (Montimage, France; co-chair)
• Jun Pang (University of Luxembourg, Luxembourg)
• Nahid Shahmehri (Linkopings University, Sweden)
• Luca Vigano (University of Verona, Italy)
• Bachar Wehbi (Montimage, France)
• Nina Yevtushenko (Tomsk State University, Russia)
IV. WORKSHOP STEERING COMMITTEE
The workshop steering committee is composed of:
• Alessandro Armando (University of Genova, Italy)
• Ana Cavalli (Telecom SudParis, France)
• Jorge Cuellar (Siemens, Germany)
• Alexander Pretschner (KIT, Germany)
• Yves Le Traon (University of Luxembourg, Luxembourg)
V. INVITED TALK
Speaker: Prof. Yves Le Traon (University of Luxembourg)
Title: Security testing: a key challenge for software enginee-
ring of web apps.
While important efforts are dedicated to system functional
testing, very few works study how to specifically and sys-
tematically test security mechanisms. In this talk, Prof. Yves
Le Traon presented two categories of approaches:
The first ones aimed at assessing security mechanisms com-
pliance with declared policies. Any security policy is strongly
connected to system functionality: testing function includes
exercising many security mechanisms. However, testing func-
tionality does not intend at exercizing all security mechanisms.
Test selection criteria are thus proposed to produce tests from a
security policy. Empirical results were presented about access
control policies and about Android apps permission checks.
The second ones concerned the attack surface of web apps,
with a particular focus on web browser sensitivity to XSS
attacks. Indeed, one of the major threats against web applica-
tions is Cross-Site Scripting (XSS) that crosses several web
components: web server, security components and finally the
client’s web browser. The final target is thus the client running
a particular web browser. During this last decade, several
competing web browsers (IE, Netscape, Chrome, Firefox)
have been upgraded to add new features for the final users
benefit. However, the improvement of web browsers is not
related with systematic security regression testing. Beginning
with an analysis of their current exposure degree to XSS,
we extend the empirical study to a decade of most popular
web browser versions. The results reveal a chaotic behavior in
the evolution of most web browsers attack surface over time.
This particularly shows an urgent need for regression testing
strategies to ensure that security is not sacrificed when a new
version is delivered. In both cases, security must become a
specific target for testing in order to get a satisfying level of
confidence in security mechanisms.
VI. THE EVENT
The SECTEST workshop was successful and had one of
the highest submissions and attendance rates compared to the
other ICST conferences workshops. Submissions were from
different countries (France, Austria, Finland, Germany, India,
Netherlands, Japan and UK). The quality of accepted papers
was high which attracted around 30 participants to attend the
workshop. There were comments from audience saying that
the topic of the workshop was interesting and that they were
willing to submit to the next workshop manifestation in 2014
in USA.
434