USING CAPEC FOR RISK-BASED
SECURITY TESTING
Fredrik Seehusen
RASEN - 316853
1
Overview of method
CAPEC
attack
patterns
System
under test
Test procedure
prioritization
algorithm
I: CAPEC to
risk model
(automated)
II: Risk
model
refinement
(manual)
III: Test
procedure
derivation
(semiautomated)
Generic
risk
model
CAPEC to
risk model
algorithm
Target
specific risk
model
Prioritized test
procedures
RASEN - 316853
2
Method overview cont.
RASEN - 316853
3
Method overview cont.
Risk-based
testing
=
Testing
+
Risk assessment
Criteria
C1: The risk assessment should not be too time
consuming.
C2: The risk assessment should help reduce the time
spent in testing.
C3: The risk assessment should help increase the
quality of the testing activity.
RASEN - 316853
4
Step I: From CAPEC to Generic
CORAS Risk Model
CAPEC
CORAS Risk model
RASEN - 316853
5
Step I: Security attack in
CORAS risk model
Attack name
Name of vulnerability
Attacker name
Consequence value
Likelihood of attack
initiation
Likelihood of attack
consequence
Likelihood of attack
success
RASEN - 316853
Attack impact name
Attack consequence
name
6
Step I: CAPEC
Attribute
Description
Name
(CAPEC-34, HTTP Response Splitting)
Typical likelihood of Medium
exploit
Attack
motivation- (Execute unauthorized code or commands, {Confidentiality,
consequences
Integrity, Availability}),
(Gain privileges / assume identify, {Confidentiality})
CIA impact
(High, High, Low)
CWE
ID
(Related CWE-113 Improper Neutralization of CRLF Sequences in HTTP
weaknesses)
Headers ('HTTP Response Splitting'),
CWE-697 Insufficient Comparison,
CWE-707 Improper Enforcement of Message or Data
Structure,
CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
RASEN - 316853
7
Step I: CAPEC to generic risk
model
Typical likelihood of exploit
CIA impact
Name
CWE
ID
weaknesses)
(Related
RASEN - 316853
Attack motivation consequences
8
Step II: Refine generic CORAS risk
model
CAPEC-34
CAPEC-62
RASEN - 316853
9
Step II: Refine generic CORAS
risk model (cont.)
RASEN - 316853
10
Step III: Test procedure
identification
RASEN - 316853
11
Step III: Test procedure
selection and prioritization
RASEN - 316853
12
Test procedure selection and
prioritization
Test procedure
Sensitivity
Effort
Check that Cross Site Request Forgery (aka Session Riding) leads 9.815030935488 1 day
to Cross Site Request Forgery (aka Session Riding) successful with 287E-4
conditional likelihood [0.001, 0.1], due to vulnerabilities OWASP
Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF),
Incorrect Permission Assignment for Critical Resource, Cross-Site
Request Forgery (CSRF) and Improper Control of a Resource
Through its Lifetime.
Check that HTTP Response Splitting leads to HTTP Response
Splitting successful with conditional likelihood [1.0E-4, 0.001],
due to vulnerabilities Insufficient Comparison, Improper
Neutralization of CRLF Sequences in HTTP Headers ('HTTP
Response Splitting'), Improper Enforcement of Message or Data
Structure and OWASP Top Ten 2007 Category A2 - Injection
Flaws.
RASEN - 316853
1.447474243798 1 day
8263E-7
13
Conclusions
We have presented a method and a technique for
risk-based testing based on CAPEC
We believe that the method supports criteria C1 –
C3
C1 is supported by our technique for risk model generation
which reduces the time of constructing a risk model
compared to a manual process.
C2 is supported since the generated risk model is suitable
for test procedure identification.
C3 is supported since our method provides a sound basis
for test-procedure prioritization based on risk model
information. This enables the testing to be focused on the
attacks and/or vulnerabilities that are most relevant for
obtaining an accurate and correct risk model.
RASEN - 316853
14