Moth: a hybrid threat model for improving software security testing
As SQL injection attack (SQLIA) continues to threaten web applications despite several techniques recommended to prevent it, a Hybrid Threat Modeling strategy was adopted in this research due to its proactive approach to risk mitigation in web applications. This involved the combination of 3 thre...
Saved in:
Main Author: | |
---|---|
Format: | Thesis |
Language: | English English English |
Published: |
2018
|
Subjects: | |
Online Access: | http://eprints.uthm.edu.my/185/1/24p%20HABEEB%20OLADAPO%20OMOTUNDE.pdf http://eprints.uthm.edu.my/185/2/HABEEB%20OLADAPO%20OMOTUNDE%20COPYRIGHT%20DECLARATION.pdf http://eprints.uthm.edu.my/185/3/HABEEB%20OLADAPO%20OMOTUNDE%20WATERMARK.pdf |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
id |
my-uthm-ep.185 |
---|---|
record_format |
uketd_dc |
spelling |
my-uthm-ep.1852021-07-06T07:50:11Z Moth: a hybrid threat model for improving software security testing 2018-07 Omotunde, Habeeb Oladapo HV8290-8291 Private security services As SQL injection attack (SQLIA) continues to threaten web applications despite several techniques recommended to prevent it, a Hybrid Threat Modeling strategy was adopted in this research due to its proactive approach to risk mitigation in web applications. This involved the combination of 3 threat modeling techniques namely misuse cases, attack trees and finite state machines in order to harness their individual strengths to design a Hybrid Threat Modeling framework and tool called MOTH (Modeling Threats using Hybrid techniques). Using the MOTH tool developed using Eclipse rich client platform, experimental results with an e-commerce web application downloaded from GitHub namely BodgeIt store shows an improved SQL injection vulnerability detection rate of 13.33% in comparison to a commercial tool, IBM AppScan. Further benchmarking of MOTH with respect to SQL injection vulnerability detection in both BodgeIT store and IBM’s Altoro Mutual online banking application shows it is 30.6% more effective over AppScan. Relative to other threat modeling tools, MOTH was able to realize a 41.7% optimization of attack paths required to design effective test plans and test cases for the recommendation of efficient security requirements needed to prevent SQL injection attacks. A 100% risk mitigation was achieved after applying these recommendations due to a complete security test coverage of all test cases during the experiment as all test cases successfully exposed the inherent security mutants in the AUT. These results show that MOTH is a more suitable hybrid threat modeling tool for preventing poor specifications that expose web applications to SQL injection attacks. 2018-07 Thesis http://eprints.uthm.edu.my/185/ http://eprints.uthm.edu.my/185/1/24p%20HABEEB%20OLADAPO%20OMOTUNDE.pdf text en public http://eprints.uthm.edu.my/185/2/HABEEB%20OLADAPO%20OMOTUNDE%20COPYRIGHT%20DECLARATION.pdf text en staffonly http://eprints.uthm.edu.my/185/3/HABEEB%20OLADAPO%20OMOTUNDE%20WATERMARK.pdf text en validuser phd doctoral Universiti Tun Hussein Onn Malaysia Fakulti Sains Komputer dan Teknologi Maklumat |
institution |
Universiti Tun Hussein Onn Malaysia |
collection |
UTHM Institutional Repository |
language |
English English English |
topic |
HV8290-8291 Private security services |
spellingShingle |
HV8290-8291 Private security services Omotunde, Habeeb Oladapo Moth: a hybrid threat model for improving software security testing |
description |
As SQL injection attack (SQLIA) continues to threaten web applications despite
several techniques recommended to prevent it, a Hybrid Threat Modeling strategy
was adopted in this research due to its proactive approach to risk mitigation in web
applications. This involved the combination of 3 threat modeling techniques namely
misuse cases, attack trees and finite state machines in order to harness their individual
strengths to design a Hybrid Threat Modeling framework and tool called MOTH
(Modeling Threats using Hybrid techniques). Using the MOTH tool developed using
Eclipse rich client platform, experimental results with an e-commerce web application
downloaded from GitHub namely BodgeIt store shows an improved SQL injection
vulnerability detection rate of 13.33% in comparison to a commercial tool, IBM
AppScan. Further benchmarking of MOTH with respect to SQL injection vulnerability
detection in both BodgeIT store and IBM’s Altoro Mutual online banking application
shows it is 30.6% more effective over AppScan. Relative to other threat modeling
tools, MOTH was able to realize a 41.7% optimization of attack paths required to
design effective test plans and test cases for the recommendation of efficient security
requirements needed to prevent SQL injection attacks. A 100% risk mitigation
was achieved after applying these recommendations due to a complete security test
coverage of all test cases during the experiment as all test cases successfully exposed
the inherent security mutants in the AUT. These results show that MOTH is a more
suitable hybrid threat modeling tool for preventing poor specifications that expose web
applications to SQL injection attacks. |
format |
Thesis |
qualification_name |
Doctor of Philosophy (PhD.) |
qualification_level |
Doctorate |
author |
Omotunde, Habeeb Oladapo |
author_facet |
Omotunde, Habeeb Oladapo |
author_sort |
Omotunde, Habeeb Oladapo |
title |
Moth: a hybrid threat model for improving software security testing |
title_short |
Moth: a hybrid threat model for improving software security testing |
title_full |
Moth: a hybrid threat model for improving software security testing |
title_fullStr |
Moth: a hybrid threat model for improving software security testing |
title_full_unstemmed |
Moth: a hybrid threat model for improving software security testing |
title_sort |
moth: a hybrid threat model for improving software security testing |
granting_institution |
Universiti Tun Hussein Onn Malaysia |
granting_department |
Fakulti Sains Komputer dan Teknologi Maklumat |
publishDate |
2018 |
url |
http://eprints.uthm.edu.my/185/1/24p%20HABEEB%20OLADAPO%20OMOTUNDE.pdf http://eprints.uthm.edu.my/185/2/HABEEB%20OLADAPO%20OMOTUNDE%20COPYRIGHT%20DECLARATION.pdf http://eprints.uthm.edu.my/185/3/HABEEB%20OLADAPO%20OMOTUNDE%20WATERMARK.pdf |
_version_ |
1747830548633485312 |