Skip to main content
SpringerLink
Log in
Book cover

International Conference on Agile Software Development

XP 2010: Agile Processes in Software Engineering and Extreme Programming pp 14–27Cite as

Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology

  • Conference paper

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 48))

Abstract

There is a need for improved security testing methodologies specialized for Web applications and their agile development environment. The number of web application vulnerabilities is drastically increasing, while security testing tends to be given a low priority. In this paper, we analyze and compare Agile Security Testing with two other common methodologies for Web application security testing, and then present an extension of this methodology. We present a case study showing how our Extended Agile Security Testing (EAST) performs compared to a more ad hoc approach used within an organization. Our working hypothesis is that the detection of vulnerabilities in Web applications will be significantly more efficient when using a structured security testing methodology specialized for Web applications, compared to existing ad hoc ways of performing security tests. Our results show a clear indication that our hypothesis is on the right track.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Jazayeri, M.: Some trends in Web application development. In: International Conference on Software Engineering, pp. 199–213. IEEE Computer Society, Washington (2007)

    Google Scholar 

  2. McDonald, A., Welland, R.: Agile web engineering (AWE) process. Technical report, Department of Computer Science, University of Glasgow, UK (December 2001)

    Google Scholar 

  3. Kongsli, V.: Towards agile security in web applications. In: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications (2006)

    Google Scholar 

  4. Ge, X., Paige, R.F., Polack, F.A.C., Chivers, H., Brooke, P.J.: Agile development of secure web applications. In: Proceedings of the 6th international conference on Web engineering. ACM, New York (2006)

    Google Scholar 

  5. Chivers, H., Paige, R.F., Ge, X.: Agile security using an incremental security architecture. In: Baumeister, H., Marchesi, M., Holcombe, M. (eds.) XP 2005. LNCS, vol. 3556, pp. 57–65. Springer, Heidelberg (2005)

    Google Scholar 

  6. Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences, vol. 7, p. 185a (2005)

    Google Scholar 

  7. Wayrynen, J., Bodén, M., Bostrom, G.: Security Engineering and eXtreme Programming: An Impossible Marriage? In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds.) XP/Agile Universe 2004. LNCS, vol. 3134, pp. 117–128. Springer, Heidelberg (2004)

    Google Scholar 

  8. Beznosov, K.: Extreme Security Engineering: On Employing XP Practices to Achieve “Good Enough Security” without Defining It. In: First ACM Workshop on Business Driven Security Engineering (BizSec), Fairfax, VA (2003)

    Google Scholar 

  9. Agile Manifesto, http://agilemanifesto.org/ (Last date accessed 2009-12-10)

  10. Hieatt, E., Mee, R.: Going Faster: Testing The Web Application. IEEE Software 19, 60–65 (2002)

    Article  Google Scholar 

  11. Di Lucca, G.A., Fasolino, A.R., Faralli, F., De Carlini, U.: Testing Web applications. In: Proceedings of International Conference on Software Maintenance, pp. 310–319 (2002)

    Google Scholar 

  12. Di Lucca, G.A., Fasolino, A.R.: Testing Web-based applications: The state of the art and future trends. Information and Software Technology 48, 1172–1186 (2006)

    Article  Google Scholar 

  13. Turner, D., Fossi, M., Johnson, E., Mack, T., Blackbird, J., Entwisle, S., Low, M.K., McKinney, D., Wueest, C.: Symantec Internet Security Threat Report: Trends for July-December 2007. Technical report, Symantec Corporation, Vol. XIII (2008)

    Google Scholar 

  14. Thompson, H.H.: Why Security Testing Is Hard. IEEE Security & Privacy 1, 83–86 (2003)

    Article  Google Scholar 

  15. Tappenden, A., Beatty, P., Miller, J., Geras, A., Smith, M.: Agile security testing of Web-based systems via HTTP Unit. In: Proceedings of Agile Conference, pp. 29–38 (2005)

    Google Scholar 

  16. Peeters, J.: Agile Security Requirements Engineering. In: Symposium on Requirements Engineering for Information Security (2005)

    Google Scholar 

  17. McGraw, G.: Software Security: Building Security. Addison-Wesley, Reading (2006)

    Google Scholar 

  18. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10, 34–44 (2005)

    Article  Google Scholar 

  19. Røstad, L.: An extended misuse case notation: Including vulnerabilities and the insider threat. In: The Twelfth Working Conference on Requirements Engineering: Foundation for Software Quality (2006)

    Google Scholar 

  20. Arkin, B., Stender, S., McGraw, G.: Software penetration testing. IEEE Security & Privacy 3, 84–87 (2005)

    Google Scholar 

  21. Thompson, H.H.: Application penetration testing. IEEE Security & Privacy 3, 66–69 (2005)

    Google Scholar 

  22. The Open Web Application Security Project. OWASP Testing Guide V3.0, http://www.owasp.org/index.php/Category:OWASP_Testing_Project (Last date accessed 2009-11-13)

  23. Rus, I., Lindvall, M.: Knowledge management in software engineering. IEEE Software 19, 26–38 (2002)

    Article  Google Scholar 

  24. Davidson, M.: Survey: Agile interest high, but waterfall still used by many. Agile Trends Survey (2008), http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1318992,00.html (Last date accessed 2009-11-26)

  25. Wysopal, C., Nelson, L., Dustin, E., Nelson, L., Zovi, D.D.: The Art of Software Security Testing. Addison-Wesley, Reading (2006)

    Google Scholar 

  26. Erdogan, G., Baadshaug, E.T.: Extending SeaMonster to support vulnerability inspection modeling. Technical report, NTNU, Department of computer and information science (2008)

    Google Scholar 

  27. BugTraq mailing list, http://www.securityfocus.com/archive/1 (Last date accessed 2009-11-13)

  28. Common Vulnerabilities and Exposures, http://cve.mitre.org/ (Last date accessed 2009-11-13)

  29. Computer Emergency Readiness Team (CERT), http://www.cert.org/ (Last date accessed 2009-11-13)

  30. OWASP Top 10 vulnerabilities, http://www.owasp.org/index.php/Top_10_2007 (Last date accessed 2009-11-13)

  31. Hope, P., Walther, B.: Web Security Testing Cookbook. O’Reilly, Sebastopol (2008)

    Google Scholar 

  32. The Open Web Application Security Project. OWASP Testing Guide V3.0, http://www.owasp.org/index.php/Category:OWASP_Testing_Project (Last date accessed 2009-12-02)

  33. Andrews, M.: Guest Editor’s Introduction: The State of Web Security. IEEE Security and Privacy 4, 14–15 (2006)

    Google Scholar 

  34. PMD - Java source code scanner (Static Analysis Tool), http://pmd.sourceforge.net/ (Last date accessed 2009-11-14)

  35. Acunetix Web Vulnerability Scanner, http://www.acunetix.com/ (Last date accessed 2009-11-14)

  36. SeaMonster V3.0, http://sourceforge.net/projects/seamonster/ (Last date accessed 2009-11-14)

  37. Baca, D., Petersen, K., Carlsson, B., Lundberg, L.: Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter? In: IEEE International Conference on Availability, Reliability and Security, pp. 804–810 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CERN - The European Organization for Nuclear Research, CH-1211, Genève 23, Switzerland

    Gencer Erdogan & Derek Mathieson

  2. SINTEF ICT, System development and security, NO-7465, Trondheim, Norway

    Per Håkon Meland

Authors
  1. Gencer Erdogan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Per Håkon Meland
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Derek Mathieson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Applied Software Engineering, Free University of Bolzano-Bozen, Piazza Domenicani 3, 39100, Bozen-Bolzano, Italy

    Alberto Sillitti

  2. University of Waikato, 3216, Hamilton, New Zealand

    Angela Martin

  3. Lero - the Irish Software Engineering Research Centre, University of Limerick, Limerick, Ireland

    Xiaofeng Wang

  4. Nokia gate5 GmbH, 10115, Berlin, Germany

    Elizabeth Whitworth

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Erdogan, G., Meland, P.H., Mathieson, D. (2010). Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology. In: Sillitti, A., Martin, A., Wang, X., Whitworth, E. (eds) Agile Processes in Software Engineering and Extreme Programming. XP 2010. Lecture Notes in Business Information Processing, vol 48. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13054-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-13054-0_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-13053-3

  • Online ISBN: 978-3-642-13054-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation