Authors: Valentina Casola; Alessandra De Benedictis; Massimiliano Rak; Umberto Villano
Addresses: University of Naples Federico II, DIETI, Napoli, Italy ' University of Naples Federico II, DIETI, Napoli, Italy ' University of Campania Luigi Vanvitelli, DII, Aversa, Italy ' University of Sannio, DING, Benevento, Italy
Abstract: Security assessment is a very time- and money-consuming activity. It needs specialised security skills and, furthermore, it is not fully integrated into the software development life-cycle. One of the best solutions for the security testing of an application relies on the use of penetration testing techniques. Unfortunately, penetration testing is a typically human-driven procedure that requires a deep knowledge of the possible attacks to carry out and of the hacking tools that can be used to launch the tests. In this paper, we present a methodology that enables the automation of penetration testing techniques based on both application-level models, used to represent the application architecture and its security properties in terms of applicable threats, vulnerabilities and weaknesses, and on system-level models, adopted to automatically generate and execute the penetration testing activities. The proposed methodology can be easily integrated into a continuous integration development process and aid software developers in evaluating security.
Keywords: cloud application security assessment; cloud application penetration testing; automated penetration testing modelling; automated penetration testing execution.
International Journal of Grid and Utility Computing, 2020 Vol.11 No.2, pp.267 - 277
Received: 22 Nov 2018
Accepted: 10 Mar 2019
Published online: 03 Feb 2020 *