TUM Logo

Continuous Testing of Software-as-a-Service Using Web Application Test Methods

Nowadays, people’s lives rely more and more on the Internet to the extent that not only use people the Internet web sites for a variety of services, but also they have recently started utilizing the Internet to migrate and delegate their local computing to remote computers. These infrastructure that are the so-called Software as a Service (SaaS) are contributing to different aspects of computing. As these services are getting more popular, it becomes more crucial to have these services perform as expected to the highest possible extent. Among other expectations, users of SaaS expect these services to be secure. Lack of adequate security measures could adversely affect the overall reliability of software no matter how well-implemented other qualities are.In this thesis, we intend to figure out how we can provide a mechanism for security testing of such web-based systems. The goal is to provide a method for SaaS security assurance on a continuous basis to minimize the cost and effort of security assurance. In doing so, we choose a particular type of vulnerability, automate its discovery tests and run the tests continuously. Our prototype supports black-box continuous testing for SQL injection vulnerabilities. Our evaluation of the accuracy of our prototype indicates high true negative rates. Also, we assessed the performance impact of our prototype on the application under test which turned out to be negatively influential just in high frequency testing settings.

Continuous Testing of Software-as-a-Service Using Web Application Test Methods

Supervisor(s): Philipp Stephanow
Status: finished
Topic: Software testing
Author: Koosha Khajehmoogahi
Submission: 2016-12-15
Type of Thesis: Masterthesis
Proof of Concept No
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching

Astract:

Nowadays, people’s lives rely more and more on the Internet to the extent that not only use people the Internet web sites for a variety of services, but also they have recently started utilizing the Internet to migrate and delegate their local computing to remote computers. These infrastructure that are the so-called Software as a Service (SaaS) are contributing to different aspects of computing. As these services are getting more popular, it becomes more crucial to have these services perform as expected to the highest possible extent. Among other expectations, users of SaaS expect these services to be secure. Lack of adequate security measures could adversely affect the overall reliability of software no matter how well-implemented other qualities are.In this thesis, we intend to figure out how we can provide a mechanism for security testing of such web-based systems. The goal is to provide a method for SaaS security assurance on a continuous basis to minimize the cost and effort of security assurance. In doing so, we choose a particular type of vulnerability, automate its discovery tests and run the tests continuously. Our prototype supports black-box continuous testing for SQL injection vulnerabilities. Our evaluation of the accuracy of our prototype indicates high true negative rates. Also, we assessed the performance impact of our prototype on the application under test which turned out to be negatively influential just in high frequency testing settings.