Moth: a hybrid threat model for improving software security testing

Moth: a hybrid threat model for improving software security testing

As SQL injection attack (SQLIA) continues to threaten web applications despite several techniques recommended to prevent it, a Hybrid Threat Modeling strategy was adopted in this research due to its proactive approach to risk mitigation in web applications. This involved the combination of 3 thre...

Full description

Saved in:
Bibliographic Details
Main Author: Omotunde, Habeeb Oladapo
Format: Thesis
Language:English
English
English
Published: 2018
Subjects:
HV8290-8291 Private security services
Online Access:http://eprints.uthm.edu.my/185/1/24p%20HABEEB%20OLADAPO%20OMOTUNDE.pdf
http://eprints.uthm.edu.my/185/2/HABEEB%20OLADAPO%20OMOTUNDE%20COPYRIGHT%20DECLARATION.pdf
http://eprints.uthm.edu.my/185/3/HABEEB%20OLADAPO%20OMOTUNDE%20WATERMARK.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:As SQL injection attack (SQLIA) continues to threaten web applications despite several techniques recommended to prevent it, a Hybrid Threat Modeling strategy was adopted in this research due to its proactive approach to risk mitigation in web applications. This involved the combination of 3 threat modeling techniques namely misuse cases, attack trees and finite state machines in order to harness their individual strengths to design a Hybrid Threat Modeling framework and tool called MOTH (Modeling Threats using Hybrid techniques). Using the MOTH tool developed using Eclipse rich client platform, experimental results with an e-commerce web application downloaded from GitHub namely BodgeIt store shows an improved SQL injection vulnerability detection rate of 13.33% in comparison to a commercial tool, IBM AppScan. Further benchmarking of MOTH with respect to SQL injection vulnerability detection in both BodgeIT store and IBM’s Altoro Mutual online banking application shows it is 30.6% more effective over AppScan. Relative to other threat modeling tools, MOTH was able to realize a 41.7% optimization of attack paths required to design effective test plans and test cases for the recommendation of efficient security requirements needed to prevent SQL injection attacks. A 100% risk mitigation was achieved after applying these recommendations due to a complete security test coverage of all test cases during the experiment as all test cases successfully exposed the inherent security mutants in the AUT. These results show that MOTH is a more suitable hybrid threat modeling tool for preventing poor specifications that expose web applications to SQL injection attacks.

Similar Items