Security assessment is a very time- and money-consuming activity. It needs specialised security skills and, furthermore, it is not fully integrated into the software development life-cycle. One of the best solutions for the security testing of an application relies on the use of penetration testing techniques. Unfortunately, penetration testing is a typically human-driven procedure that requires a deep knowledge of the possible attacks to carry out and of the hacking tools that can be used to launch the tests. In this paper, we present a methodology that enables the automation of penetration testing techniques based on both application-level models, used to represent the application architecture and its security properties in terms of applicable threats, vulnerabilities and weaknesses, and on system-level models, adopted to automatically generate and execute the penetration testing activities. The proposed methodology can be easily integrated into a continuous integration development process and aid software developers in evaluating security.

A methodology for automated penetration testing of cloud applications

Rak M.;
2020

Abstract

Security assessment is a very time- and money-consuming activity. It needs specialised security skills and, furthermore, it is not fully integrated into the software development life-cycle. One of the best solutions for the security testing of an application relies on the use of penetration testing techniques. Unfortunately, penetration testing is a typically human-driven procedure that requires a deep knowledge of the possible attacks to carry out and of the hacking tools that can be used to launch the tests. In this paper, we present a methodology that enables the automation of penetration testing techniques based on both application-level models, used to represent the application architecture and its security properties in terms of applicable threats, vulnerabilities and weaknesses, and on system-level models, adopted to automatically generate and execute the penetration testing activities. The proposed methodology can be easily integrated into a continuous integration development process and aid software developers in evaluating security.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11591/427570
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 7
  • ???jsp.display-item.citation.isi??? 2
social impact