One technique is not enough: A comparison of vulnerability discovery techniques

International Symposium on Empirical Software Engineering and Measurement

Volumn , Issue , 2011, Pages 97-106

  Austin, Andrew ^a   Williams, Laurie ^a  

^a North Carolina State University   (United States)

Author keywords

Blackbox testing; Penetration testing; Security; Static analysis; Vulnerability; Whitebox testing

Indexed keywords

AUTOMATION; STATIC ANALYSIS;

ELECTRONIC HEALTH RECORD SYSTEMS; PENETRATION TESTING; SECURITY; SECURITY VULNERABILITIES; SOFTWARE VULNERABILITIES; VULNERABILITY; VULNERABILITY DISCOVERY; WHITE-BOX TESTING;

BLACK-BOX TESTING;

EID: 84858741061     PISSN: 19493770     EISSN: 19493789     Source Type: Conference Proceeding    
DOI: 10.1109/esem.2011.18     Document Type: Conference Paper

References (24)

1. B. Boehm, Software Engineering Economics. USA: Prentice Hall, 1984.
2. G. McGraw, Software Security: Building Security In. Boston, USA: Pearson Education, 2006.
3. H.H. Thompson, "Application penetration testing, " IEEE Security & Privacy, vol. 3, no. 1, p. 66, Jan.-Feb. 2005.
4. D Allan, "Web application security: automated scanning versus manual penetration testing, " IBM Rational Software, Somers, White Paper 2008.
5. B. Chess and G. McGraw, "Static Analysis for Security, " IEEE Security and Privacy, vol. 2, no. 6, pp. 76-79, Novemeber - December 2004.
6. W. Pugh and D. Hovemeyer, "Finding bugs is easy, " ACM SIGPLAN Notices, vol. 39, no. 12, December 2004.
7. N. Ayewah, D. Hovemeyer, J.D. Morgenthaler, J. Penix, and W. Pugh, "Using Static Analysis to Find Bugs, " IEEE Software, vol. 25, no. 5, pp. 22-29, Sept.-Oct 2008.
8. T. Henzinger, R. Jhala, R. Majumdar, and G Sutre, "Software verification with BLAST, " in Proceedings of the 10th international conference on Model checking software (SPIN'03), Springer-Verlag, Berlin, Heidelberg, 2003, pp. 235-239.
9. The Open Web Application Security Project. (2010, August) HttpOnly. [Online]. http://www.owasp.org/index.php/HttpOnly.
10. The MITRE Corporation. (2011, March) Common Weakness Enumeration. [Online]. http://cwe.mitre.org/.
11. N. Antunes and M. Vieira, "Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services, " in 15th IEEE Pacific Rim International Symposium on Dependable Computing, Shanghai, 2009, p. 301.
12. A. Doupè, M. Cova, and G. Vigna, "Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners, " in Conference on Detection ofIntrusions and Malware & VulnerabilityAssessment (DIMVA), Bonn, 2010.
13. L. Suto, "Analyzing the Effectiveness and Coverage of Web Application, " San Francisco, White Paper 2007.
14. L. Suto, "Analyzing the Accuracy and Time Costs of Web Application Security Scanners, " San Franscico, White paper 2010.
15. D. Baca, K. Petersen, B. Carlsson, and L. Lundberg, "Static Code Analysis to Detect Software Security Vulnerabilities -Does Experience Matter?, " in International Conference on Availability, Reliability and Security (ARES '09), Fukuoka, 2009, p. 804.
16. N. Rutar, C.B. Almazan, and J.S. Foster, "A comparison of bug finding tools for Java, " in 15th International Symposium on Software Reliability Engineering, Saint-Malo, 2004, pp. 245-256.
17. G. McGraw and J. Steven. (2011, January) informIT. [Online]. http://www.informit.com/articles/article.aspx?p=1680863.
18. D. Geer and J. Harthorne, "Penetration testing: a duet, " in 18th Annual Computer Security Applications Conference, 2002, Las Vegas, 2002, p. 185.
19. S. Robinson, "The art of penetration testing, " in The IEEE Seminar on Security of Distributed Control Systems, 2005, p. 71.
20. OEMR.ORG. (2011, February) OpenEMR Commercial Help. [Online]. http://www.openmedsoftware.org/wiki/OpenEMR-Commercial-Help.
21. B. Smith and L Williams, "Systematizing Security Test Planning Using Functional Requirements Phrases, " North Carolina State University, Raleigh, Technical Report TR-2011-5, 2011.
22. B. Smith et al., "Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected, " in Security and Privacy in Medical and Home-care Systems (SPIMACS 2010) Workshop, Chicago, 2010, pp. 1-12.
23. S. Barnum and M. Gegick. (September, 2005) Defense in Depth. [Online]. https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/principles/347-BSI. html.
24. C. Cadar, D. Dunbar, and D. Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs, " in USENIX Symposium on Operating Systems Design and Implementation (OSDI2008), San Diego, 2008.