Security Aspect in Software Testing Perspective: A Systematic Literature Review
Downloads
Background: Software testing and software security have become one of the most important parts of an application. Many studies have explored each of these topics but there is a gap wherein the relation of software security and software testing in general has not been explored.
Objective: This study aims to conduct a systematic literature review to capture the current state-of-the-art in software testing related to security.
Methods: The search strategy obtains relevant papers from IEEE Xplore and ScienceDirect. The results of the search are filtered by applying inclusion and exclusion criteria.
Results: The search results identified 50 papers. After applying the inclusion/exclusion criteria, we identified 15 primary studies that discuss software security and software testing. We found approaches, aspects, references, and domains that are used in software security and software testing.
Conclusion: We found certain approach, aspect, references, and domain are used more often in software security testing
Keywords: Software security, Software testing, Security testing approach, Security threats, Systematic literature review
Z. Hui, S. Huang, B. Hu, and Z. Ren, "A taxonomy of software security defects for SST,” Proc. - 2010 Int. Conf. Intell. Comput. Integr. Syst. ICISS2010, pp. 99–103, 2010, doi: 10.1109/ICISS.2010.5656736.
J. C. S. Nunez, A. C. Lindo, and P. G. Rodriguez, "A preventive secure software development model for a software factory: A case study,” IEEE Access, vol. 8, pp. 77653–77665, 2020, doi: 10.1109/ACCESS.2020.2989113.
H. Nina, J. A. Pow-Sang, and M. Villavicencio, "Systematic mapping of the literature on secure software development,” IEEE Access, vol. 9, pp. 36852–36867, 2021, doi: 10.1109/ACCESS.2021.3062388.
D. Zhang et al., "SimFuzz: test case similarity directed deep fuzzing,” J. Syst. Softw., vol. 85, no. 1, pp. 102–111, 2012, doi: 10.1016/J.JSS.2011.07.028.
R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, "Systematic literature review on security risks and its practices in secure software development,” IEEE Access, vol. 10, pp. 5456–5481, 2022, doi: 10.1109/ACCESS.2022.3140181.
J. dos Santos, L. E. G. Martins, V. A. de Santiago Júnior, L. V. Povoa, and L. B. R. dos Santos, "Software requirements testing approaches: a systematic literature review,” Requir. Eng., vol. 25, no. 3, pp. 317–337, 2020, doi: 10.1007/S00766-019-00325-W/TABLES/11.
M. M. Hassan, W. Afzal, M. Blom, B. Lindstrom, S. F. Andler, and S. Eldh, "Testability and software robustness: a systematic literature review,” Proc. - 41st Euromicro Conf. Softw. Eng. Adv. Appl. SEAA 2015, pp. 341–348, 2015, doi: 10.1109/SEAA.2015.47.
M. Aydos, Ç. Aldan, E. Coşkun, and A. Soydan, "Security testing of web applications: a systematic mapping of the literature,” J. King Saud Univ. - Comput. Inf. Sci., vol. 34, pp. 6775–6792, 2021, doi: 10.1016/j.jksuci.2021.09.018.
J. Bozic and F. Wotawa, "Software testing: according to plan!,” Proc. - 2019 IEEE 12th Int. Conf. Softw. Testing, Verif. Valid. Work. ICSTW 2019, pp. 23–31, 2019, doi: 10.1109/ICSTW.2019.00028.
R. Chamarthi and A. P. Reddy, "Empirical methodology of testing using FMEA and quality metrics,” Proc. Int. Conf. Inven. Res. Comput. Appl. ICIRCA 2018, pp. 85–90, 2018, doi: 10.1109/ICIRCA.2018.8597290.
J. D. DeMott, R. J. Enbody, and W. F. Punch, "Systematic bug finding and fault localization enhanced with input data tracking,” Comput. Secur., vol. 32, pp. 130–157, 2013, doi: 10.1016/J.COSE.2012.09.015.
R. Khan, "Secure software development: a prescriptive framework,” Comput. Fraud Secur., vol. 2011, no. 8, pp. 12–20, 2011, doi: 10.1016/S1361-3723(11)70083-5.
Y. Duan, F. Lou, and Y. Fu, Research of evaluation methods for software security; Research of evaluation methods for software security. 2016.
"ISO / IEC 25010 : 2011 Systems and software engineering ” Systems and software Quality Requirements and Evaluation ( SQuaRE ) ” System and software quality models,” 2013, doi: 10.3403/30215101.
V. V. Ribeiro, D. S. Cruzes, and G. H. Travassos, "Moderator factors of software security and performance verification,” J. Syst. Softw., vol. 184, p. 111137, Feb. 2022, doi: 10.1016/J.JSS.2021.111137.
I. K. Raharjana, D. Siahaan, and C. Fatichah, "User stories and natural language processing: a systematic literature review,” IEEE Access, vol. 9, pp. 53811–53826, 2021, doi: 10.1109/ACCESS.2021.3070606.
I. K. Raharjana, "A systematic literature review of environmental concerns in smart-cities,” IOP Conf. Ser. Earth Environ. Sci., 2019, doi: 10.1088/1755-1315/245/1/012031.
A. J. Suali et al., "Software quality measurement in software engineering project: A systematic literature review,” J. Theor. Appl. Inf. Technol., vol. 97, no. 3, pp. 918–929, 2019.
B. Kitchenham, O. Pearl Brereton, D. Budgen, M. Turner, J. Bailey, and S. Linkman, "Systematic literature reviews in software engineering – A systematic literature review,” Inf. Softw. Technol., vol. 51, no. 1, pp. 7–15, 2009, doi: 10.1016/J.INFSOF.2008.09.009.
B. Arnold and Y. Qu, "Detecting software security vulnerability during an agile development by testing the changes to the security posture of software systems,” Proc. - 2020 Int. Conf. Comput. Sci. Comput. Intell. CSCI 2020, pp. 1743–1748, 2020, doi: 10.1109/CSCI51800.2020.00323.
A. D. Ermakov, S. A. Prokopenko, and N. V. Yevtushenko, "Checking software security using EFSMs,” in 2017 18th International Conference of Young Specialists on Micro/Nanotechnologies and Electron Devices (EDM), 2017, pp. 87–90, doi: 10.1109/EDM.2017.7981714.
X. Li, G. Wang, C. Wang, Y. Qin, and N. Wang, "Software Source code security audit algorithm supporting incremental checking,” pp. 53–58, 2022, doi: 10.1109/smartcloud55982.2022.00015.
W. Wang, F. Dumont, N. Niu, and G. Horton, "Detecting software security vulnerabilities via requirements dependency analysis,” IEEE Trans. Softw. Eng., vol. 48, no. 5, pp. 1665–1675, 2022, doi: 10.1109/TSE.2020.3030745.
D. Baca and K. Petersen, "Countermeasure graphs for software security risk assessment: an action research,” J. Syst. Softw., vol. 86, no. 9, pp. 2411–2428, 2013, doi: 10.1016/j.jss.2013.04.023.
Z. Ren, S. Huang, Y. Yao, and Y. Hong, "Confidence measures analysis of software security evaluation,” Procedia Eng., vol. 15, pp. 3505–3510, 2011, doi: 10.1016/J.PROENG.2011.08.656.
T. A. Do, S. C. Khoo, A. C. M. Fong, R. Pears, and T. T. Quan, "Goal-oriented dynamic test generation,” Inf. Softw. Technol., vol. 66, pp. 40–57, 2015, doi: 10.1016/J.INFSOF.2015.05.007.
K. Bernsmed, D. S. Cruzes, M. G. Jaatun, and M. Iovan, "Adopting threat modelling in agile software development projects,” J. Syst. Softw., vol. 183, p. 111090, 2022, doi: 10.1016/J.JSS.2021.111090.
N. Shahmehri et al., "An advanced approach for modeling and detecting software vulnerabilities,” Inf. Softw. Technol., vol. 54, no. 9, pp. 997–1013, 2012, doi: 10.1016/j.infsof.2012.03.004.
A. Mazuera-Rozo et al., "Taxonomy of security weaknesses in Java and Kotlin Android apps,” J. Syst. Softw., vol. 187, p. 111233, 2022, doi: 10.1016/J.JSS.2022.111233.
R. Z. Naeem, H. Abbas, N. Shafqat, K. Saleem, and W. Iqbal, "A framework to determine applications' authenticity,” Procedia Comput. Sci., vol. 155, pp. 268–275, 2019, doi: 10.1016/J.PROCS.2019.08.038.
W. Masri and A. Podgurski, "Application-based anomaly intrusion detection with dynamic information flow analysis,” Comput. Secur., vol. 27, no. 5–6, pp. 176–187, 2008, doi: 10.1016/J.COSE.2008.06.002.
Copyright (c) 2023 The Authors. Published by Universitas Airlangga.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
All accepted papers will be published under a Creative Commons Attribution 4.0 International (CC BY 4.0) License. Authors retain copyright and grant the journal right of first publication. CC-BY Licenced means lets others to Share (copy and redistribute the material in any medium or format) and Adapt (remix, transform, and build upon the material for any purpose, even commercially).