IRIS

Security assessment is a very time- and money-consuming activity. It needs specialised security skills and, furthermore, it is not fully integrated into the software development life-cycle. One of the best solutions for the security testing of an application relies on the use of penetration testing techniques. Unfortunately, penetration testing is a typically human-driven procedure that requires a deep knowledge of the possible attacks to carry out and of the hacking tools that can be used to launch the tests. In this paper, we present a methodology that enables the automation of penetration testing techniques based on both application-level models, used to represent the application architecture and its security properties in terms of applicable threats, vulnerabilities and weaknesses, and on system-level models, adopted to automatically generate and execute the penetration testing activities. The proposed methodology can be easily integrated into a continuous integration development process and aid software developers in evaluating security.

A methodology for automated penetration testing of cloud applications / Casola, V.; De Benedictis, A.; Rak, M.; Villano, U.. - In: INTERNATIONAL JOURNAL OF GRID AND UTILITY COMPUTING. - ISSN 1741-847X. - 11:2(2020), pp. 267-277. [10.1504/IJGUC.2020.105541]

A methodology for automated penetration testing of cloud applications

Casola V.;De Benedictis A.;
2020

Abstract

Security assessment is a very time- and money-consuming activity. It needs specialised security skills and, furthermore, it is not fully integrated into the software development life-cycle. One of the best solutions for the security testing of an application relies on the use of penetration testing techniques. Unfortunately, penetration testing is a typically human-driven procedure that requires a deep knowledge of the possible attacks to carry out and of the hacking tools that can be used to launch the tests. In this paper, we present a methodology that enables the automation of penetration testing techniques based on both application-level models, used to represent the application architecture and its security properties in terms of applicable threats, vulnerabilities and weaknesses, and on system-level models, adopted to automatically generate and execute the penetration testing activities. The proposed methodology can be easily integrated into a continuous integration development process and aid software developers in evaluating security.
2020
A methodology for automated penetration testing of cloud applications / Casola, V.; De Benedictis, A.; Rak, M.; Villano, U.. - In: INTERNATIONAL JOURNAL OF GRID AND UTILITY COMPUTING. - ISSN 1741-847X. - 11:2(2020), pp. 267-277. [10.1504/IJGUC.2020.105541]
1.1 Articolo in rivista
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11588/813722
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 13
  • ???jsp.display-item.citation.isi??? 5
social impact