Affiliation:
1. SINTEF Digital, Norway
2. PWC, Norway
3. Equatex, Norway
Abstract
Risk-driven testing and test-driven risk assessment are two strongly related approaches, though the latter is less explored. This chapter presents an evaluation of a test-driven security risk assessment approach to assess how useful testing is for validating and correcting security risk models. Based on the guidelines for case study research, two industrial case studies were analyzed: a multilingual financial web application and a mobile financial application. In both case studies, the testing yielded new information, which was not found in the risk assessment phase. In the first case study, new vulnerabilities were found that resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.
Reference32 articles.
1. Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2003). Introduction to the OCTAVE Approach. Retrieved from http://www.dtic.mil/docs/citations/ADA634134
2. The use of the CCTA risk analysis and management methodology CRAMM in health information systems.;B.Barber;7th International Congress on Medical Informatics,1992
3. CORAS. (2018). The CORAS Tool. Retrieved from http://coras.sourceforge.net/coras_tool.html
4. Eclipse. (2018). Retrieved from https://www.eclipse.org/
5. Approaches for the combined use of risk analysis and testing: a systematic literature review
Cited by
1 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献