TUM Logo

Towards continuous security certification of Software-as-a-Service applications using web application testing techniques

Continuous security certification of software-asa- service (SaaS) aims at continuously, i.e. repeatedly and automatically validating whether a SaaS application adheres to a set of security requirements. Since SaaS applications make heavy use of web application technologies, checking security requirements with the help of web application testing techniques seems evident. However, these techniques mainly focus on conducting discrete security tests, that is, mostly manually triggered tests whose results are interpreted by human experts. Thus these techniques are not per se suited to support continuous security certification of SaaS applications and have to be adapted accordingly. In this paper, we report on our current status of developing methods and tools to support test-based, continuous security certification of SaaS applications which make use of web application testing techniques. To that end, we describe major challenges to overcome and present experimental test results of using SQLMap to continuously test for SQL injection vulnerabilities.

Towards continuous security certification of Software-as-a-Service applications using web application testing techniques

AINA 2017, 31st IEEE International Conference on Advanced Information Networking and Applications

Authors: Phlilipp Stephanow and Koosha Khajehmoogahi
Year/month: 2017/3
Booktitle: AINA 2017, 31st IEEE International Conference on Advanced Information Networking and Applications
Pages: 931-938
Publisher: IEEE
Fulltext: click here

Abstract

Continuous security certification of software-asa- service (SaaS) aims at continuously, i.e. repeatedly and automatically validating whether a SaaS application adheres to a set of security requirements. Since SaaS applications make heavy use of web application technologies, checking security requirements with the help of web application testing techniques seems evident. However, these techniques mainly focus on conducting discrete security tests, that is, mostly manually triggered tests whose results are interpreted by human experts. Thus these techniques are not per se suited to support continuous security certification of SaaS applications and have to be adapted accordingly. In this paper, we report on our current status of developing methods and tools to support test-based, continuous security certification of SaaS applications which make use of web application testing techniques. To that end, we describe major challenges to overcome and present experimental test results of using SQLMap to continuously test for SQL injection vulnerabilities.

Bibtex:

@inproceedings { stephanowSaaS2017,
author = { Phlilipp Stephanow and Koosha Khajehmoogahi},
title = { Towards continuous security certification of Software-as-a-Service applications using web application testing techniques },
year = { 2017 },
month = { March },
booktitle = { AINA 2017, 31st IEEE International Conference on Advanced Information Networking and Applications },
pages = { 931-938 },
publisher = { IEEE },
url = { http://dx.doi.org/10.1109/AINA.2017.107 },

}