The Plan and Tools for Vulnerability Testing in Information Software-Based System

Abstract

Abstract: Although many tests for stabilization of the software have been done, vulnerability test for a system run by combination of the software of various products has not been conducted enough. This has led to increased threats and vulnerability of system. Especially, web-based software system, which is public, has inherent possibility of exposure to attacks and is likely to be seriously damaged by an accident. Consequently, comprehensive and systematic test plans and techniques are required. Moreover, it is necessary to establish a procedure for managing and handling the results of vulnera-bility test. This paper proposes vulnerability test plans and designs for implementing automated tools, both of which can be complied with on web-based software systems. Keywords: Risk Analysis, Vulnerability, Asset, Threat 1. Introduction Software testing [1] is a very much hard task. Most of software development models repeat coding, testing and correction multiple times in order to stabilize a developed software, correct any bugs found during test and check any new bugs that might be detected. This is not true of tests of software-based systems. Once a software system is built, its testing is under restrictions. Even if the software system is found to have vulnerability, it is impossible to correct it. This is because once a software system is built and operated, it cannot be corrected or stopped arbitrarily. Therefore, cost effects coming from the revision and supplementation of vulnerability should be analyzed since unlike a bug, the vulnerability does not mean that the system has functional problems. Especially, recent developments in internet have led many organizations to establish requirements for a web-based system before starting to operate it [2]. A web-based software system can be developed easily and shorten development period since it has various and similar solutions. However, it has been found that the system has much vulnerability and has been exposed to increasingly new kinds of vulnerability since it uses TCP/IP protocol and runs on Windows or Linux platform [3]. Conventional system vulnerability testing [4][5] has been conducted in such a way that any vulnerability found by using scan tools or cracking tools is reported, followed by recom-mendations like installation of security patch or OS upgrade. This testing method may repeat same test since it does not have any proper plan and any proper knowledge of previous test cases and testing methods. Re-repeated testing for this reason increases wasted time and cost, making response to new vulnerability. There have been standardized plans and procedures for software testing [15], and there have been many studies on them. However, any testing method for software-based systems is hardly found, except for risk analysis approach [10][11] and risk management approach [12][13][14]. These methodologies require specialized knowledge of security and lots of human resources and time. For this reason, they cannot be applied well to the situation where vulnerability should be eliminated in real time. Especially, the methodologies require a long time from risk analysis and budget design to establishment of countermeasure, disabling just-in-time establishment of countermeasure [9]. This makes it difficult to establish safe system operation. It is better to apply security risk analysis methodology when changing whole system or considering a new project. Once a system is built, vulnerability should be eliminated by vulnerability testing, as occasion calls. Next, a tool [6] is developed and used for software testing. Since related developers and testers conduct similar jobs, proper information on the stress and load against software is set in the testing tool. Especially, a testing tool provides knowledge of predictable result of a bug. However, system vulnerability testing inspects various kinds of vulnerability of a system composed of a com-bination of software, in terms of rule settings, batch, composition and interlock. Vulnerability removal affects other software. Therefore, personnel, roles, methods and levels for system test planning must be clearly defined and specified, and inter-system vulnerability diffusion analysis [7][9] must be done well. To solve these problems, this paper proposes a method for software system vulnerability test planning and a design tool for its automation.