The Fourth International Workshop on Security Testing

Affiliated with ICST 2013

March 22, 2013

Home. Program. Invited Talk. Background, aim and scope. Publication. Audience. Committees. Additional information.

Program: Friday - March 22

08:00 - 08:30 Registration
Session I Chair: Wissam Mallouli
09:00 - 10:00 Invited talk
Security testing: a key challenge for software engineering of web apps
Yves Le Traon (University of Luxembourg, Luxembourg)
10:00 - 10:30 Kepler - Raising Browser Security Awareness
Thomas Wahlberg, Petri Paakkola, Christian Wieser, Marko Laakso and Juha Röning.
paper, talk
10:30 - 11:00 Coffee break
Session II Chair:
11:00 - 11:30 Automatic Generation of Test Drivers for Model Inference of Web Applications
Karim Hossen, Roland Groz, Catherine Oriat and Jean-Luc Richier.
paper, talk
11:30 - 12:00 Model-Based Vulnerability Testing for Web Applications
Franck Lebeau, Bruno Legeard, Fabien Peureux and Alexandre Vernotte.
paper, talk
12:00 - 12:30 Improving the Accuracy of Automated Security Tests Based on Learned System Behavior Models
Christian Schanes, Florian Fankhauser, Andreas Hübler and Thomas Grechenig.
12:30 - 14:00 Lunch
Session III Chair:
14:00 - 14:30 Formal models of bank cards for free
Fides Aarts, Joeri de Ruiter and Erik Poll.
paper, talk
14:30 - 15:00 Online Model-Based Behavioral Fuzzing
Martin Schneider, Juergen Grossmann, Ina Schieferdecker and Andrej Pietschker.
paper, talk
15:00 - 15:30 A Query Driven Security Testing Framework for Enterprise Network
Padmalochan Bera and Soumya K Ghosh.
15:30 - 16:00 Coffee break
Session IV Chair:
16:00 - 17:30 Open Discussion

Invited Talk

Yves Le Traon (University of Luxembourg)
Security testing: a key challenge for software engineering of web apps.
While important efforts are dedicated to system functional testing, very few works study how to specifically and systematically test security mechanisms. In this talk, we will present two categories of approaches. The first ones aim at assessing security mechanisms compliance with declared policies. Any security policy is strongly connected to system functionality: testing function includes exercising many security mechanisms. However, testing functionality does not intend at exercizing all security mechanisms. We thus propose test selection criteria to produce tests from a security policy. Empirical results will be presented about access control policies and about Android apps permission checks.
The second ones concern the attack surface of web apps, with a particular focus on web browser sensitivity to XSS attacks. Indeed, one of the major threats against web applications is Cross-Site Scripting (XSS) that crosses several web components: web server, security components and finally the client's web browser. The final target is thus the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have been upgraded to add new features for the final users benefit. However, the improvement of web browsers is not related with systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions.The results reveal a chaotic behavior in the evolution of most web browsers attack surface over time. This particularly shows an urgent need for regression testing strategies to ensure that security is not sacrificed when a new version is delivered. In both cases, security must become a specific target for testing in order to get a satisfying level of confidence in security mechanisms

Background, aim and scope

To improve software security, several techniques, including vulnerability modelling and security testing, have been developed but the problem remains unsolved. On one hand, the workshop tries to answer how vulnerability modelling can help users understand the occurrence of vulnerabilities so to avoid them, and what the advantages and drawbacks of the existing models are to represent vulnerabilities. At the same time, the workshop tries to understand how to solve the challenging security testing problem given that testing the mere functionality of a system alone is already a fundamentally critical task, how security testing is different from and related to classical functional testing, and how to assess the quality of security testing. The objective of this workshop is to share ideas, methods, techniques, and tools about vulnerability modelling and security testing to improve the state of the art.

In particular, the workshop aims at providing a forum for practitioners and researchers to exchange ideas, perspectives on problems, and solutions. Both papers proposing novel models, methods, and algorithms and reporting experiences applying existing methods on case studies and industrial examples are welcomed. The topics of interest include, but are not restricted to:

This workshop is a follow-up and combination of the First International Workshop on Security Testing (SECTEST 2008) and the First International Workshop on Modelling and Detection of Vulnerabilities (MDV 2010), as well as the Second International Workshop on Security Testing (SECTEST 2011) and the Third International Workshop on Security Testing (SECTEST 2012).


We solicit both full papers (8 pages) and short papers (2 pages) in IEEE two-column format. We also solicit demonstrations of security testing tools (4 pages).
All submissions will be peer-reviewed. Authors of accepted papers must guarantee that their paper will be presented at the workshop.

Authors are invited to submit their papers electronically, as portable document format (pdf) or postscript (ps); please, do not send files formatted for work processing packages (e.g., Microsoft Word or Wordperfect files). The only mechanism for paper submissions is via the electronic submission web-site powered by EasyChair.


The proceedings will be published in the IEEE digital library.


Participation to the workshop will be open to anybody willing to register.

Program Committee

Steering Committee

Additional Information

The workshop is supported by the projects Diamonds, SPaCIoS and Inter-Trust.

Last modified: Tuesday October 09, 2012