{"id":885,"date":"2020-08-24T10:41:23","date_gmt":"2020-08-24T08:41:23","guid":{"rendered":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/"},"modified":"2020-08-24T10:41:23","modified_gmt":"2020-08-24T08:41:23","slug":"phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems","status":"publish","type":"events","link":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/","title":{"rendered":"PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems"},"content":{"rendered":"<section class=\"wp-block-unilux-blocks-free-section section\"><div class=\"container xl:max-w-screen-xl\"><p>Please click this <a href=\"https:\/\/unilu.webex.com\/unilu\/onstage\/g.php?MTID=e9936d0215da4172bd3427dd3323886df\" target=\"_self\" title=\"\" rel=\"noopener\">link<\/a> to register and connect you to the online PhD defense.\u00a0<\/p><p>Please note that the public part of the defense starts at 3.00 p.m., please use the above-mentioned link to join the event.<\/p>You may need to wait some moments until the conference e-room opens to the public.<p><strong>Members of the defense committee<\/strong>:<\/p><ul class=\"ulux-list\"><li class=\"ulux-list-item\">Chairman: A-Prof. Dr Fabrizio Pastore, University of Luxembourg<\/li><li class=\"ulux-list-item\">Deputy Chairman: Dr Seung Yeob SHIN, University of Luxembourg<\/li><li class=\"ulux-list-item\">Supervisor: Prof. Dr-Ing Lionel Claude Briand, University of Luxembourg<\/li><li class=\"ulux-list-item\">Member: Dr Mariano Ceccato, University of Verona<\/li><li class=\"ulux-list-item\">Member: A-Prof. Dr Sergio Segura Rueda, University of Seville\u00a0<\/li><\/ul><p><\/p><p><strong>Abstract<\/strong>:<\/p><p>Motivation and Context. Modern Internet-based services (e.g., home-banking, personal-training, healthcare) are delivered through Web-oriented software systems which run on multiple and different devices including computers, mobile devices, wearable devices, and smart TVs. They manage and exchange users\u2019 personal data such as credit reports, locations, and health status. Therefore, the security of the system and its data are of crucial importance.<\/p><p>Unfortunately, from security requirements elicitation to security testing, there are a number of challenges to be addressed to ensure the security of Web-oriented software systems. First, existing practices for capturing security requirements do not rely on templates that ensure the speci\ufb01cation of requirements in a precise, structured, and unambiguous manner. Second, security testing is usually performed either manually or is only partially automated. Most of the existing security testing automation approaches focus only on speci\ufb01c vulnerabilities (e.g., buffer over\ufb02ow, code injection). In addition, they suffer from the oracle problem, i.e., they cannot determine that the software does not meet its security requirements, except when it leads to denial of service or crashes. For this reason, security test automation is usually partial and only addresses the generation of inputs and not the veri\ufb01cation of outputs.\u00a0Though in principle, solutions for the automated veri\ufb01cation of functional requirements might be adopted to automatically verify security requirements, a number of concerns remain to be addressed. First, there is a lack of studies that demonstrate their applicability, in the context of security testing. Second, the oracle problem remains an open problem in many aspects of soft-ware testing research, not only security testing. In the context of functional testing, metamorphic testing has shown to be a viable solution to address the oracle problem; however, it has never been studied in the context of security testing.<\/p><p>Contributions. In this dissertation, we propose a set of approaches to address the above-mentioned challenges. (1) To model security requirements in a structured and analyzable manner, we propose a use case modelling approach that relies on a restricted natural language and a template already validated in the context of functional testing. It introduces the concepts of security use case speci\ufb01cations (i.e., what the system is supposed to do) and misuse case speci\ufb01cations (i.e., malicious user behaviours that the system is supposed to prevent). Moreover, we propose a template for capturing guidelines for the mitigation of security threats. (2) To verify that systems meet their security requirements, we propose an approach to automatically generate security test cases from misuse use case speci\ufb01cations. More precisely, we propose a natural language programming solution that automatically generates executable security test cases and test inputs from misuse case speci\ufb01cations in natural language. (3) To address the oracle problem, we propose a metamorphic testing solution for Web-oriented software systems. The solution relies on a prede\ufb01ned set of metamorphic relations that capture (a) how an attacker likely alters a valid input to exploit a vulnerable system and (b) how the output of the system should change as a result of the attack if the system meets its security requirements. Our solution relies on Web-crawlers to automatically identify the valid inputs to be used for testing. (4) We identify a set of testability guidelines to facilitate the adoption of the proposed approaches in software projects. The identi\ufb01ed guidelines indicate (a) which types of vulnerabilities can be addressed through the solutions proposed in this dissertation and (b) which design solutions should be integrated into the system to enable effective test automation.<\/p><\/div><\/section>","protected":false},"excerpt":{"rendered":"<p>Please click this link to register and connect you to the online PhD defense.\u00a0Please note that the public part of the defense starts at 3.00 p.m., please use the above-mentioned link to join the event.You may need to wait some moments until the conference e-room opens to the public.<\/p>\n","protected":false},"author":0,"featured_media":886,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"featured_image_focal_point":[],"show_featured_caption":false,"ulux_newsletter_groups":"","uluxPostTitle":"","uluxPrePostTitle":"","_trash_the_other_posts":false,"_price":"","_stock":"","_tribe_ticket_header":"","_tribe_default_ticket_provider":"","_tribe_ticket_capacity":"0","_ticket_start_date":"","_ticket_end_date":"","_tribe_ticket_show_description":"","_tribe_ticket_show_not_going":false,"_tribe_ticket_use_global_stock":"","_tribe_ticket_global_stock_level":"","_global_stock_mode":"","_global_stock_cap":"","_tribe_rsvp_for_event":"","_tribe_ticket_going_count":"","_tribe_ticket_not_going_count":"","_tribe_tickets_list":"[]","_tribe_ticket_has_attendee_info_fields":false,"event_start_date":"2020-09-08 15:00:00","event_end_date":"2020-09-08 18:00:00","event_speaker_name":"Xuan Phu Mai","event_speaker_link":"","event_is_online":false,"event_location":"","event_street":"","event_location_link":"","event_zip_code":"","event_city":"","event_country":"LU"},"events-topic":[],"events-type":[],"organisation":[183],"authorship":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.3 (Yoast SEO v22.3) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems - SnT - Universit\u00e9 du Luxembourg I Uni.lu<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems\" \/>\n<meta property=\"og:description\" content=\"Please click this link to register and connect you to the online PhD defense.\u00a0Please note that the public part of the defense starts at 3.00 p.m., please use the above-mentioned link to join the event.You may need to wait some moments until the conference e-room opens to the public.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/\" \/>\n<meta property=\"og:site_name\" content=\"SnT FR\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2026\/03\/03112647\/SNT_SM-Profile_1600x1600px-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"2560\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/\",\"url\":\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/\",\"name\":\"PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems - SnT - Universit\u00e9 du Luxembourg I Uni.lu\",\"isPartOf\":{\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2020\/08\/default-2.jpg\",\"datePublished\":\"2020-08-24T08:41:23+00:00\",\"dateModified\":\"2020-08-24T08:41:23+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#primaryimage\",\"url\":\"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2020\/08\/default-2.jpg\",\"contentUrl\":\"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2020\/08\/default-2.jpg\",\"width\":1500,\"height\":1125},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.uni.lu\/fr\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Interdisciplinary Centre for Security, Reliability and Trust (SnT)\",\"item\":\"https:\/\/www.uni.lu\/snt-fr\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Events\",\"item\":\"https:\/\/www.uni.lu\/snt-fr\/events\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/#website\",\"url\":\"https:\/\/www.uni.lu\/snt-fr\/\",\"name\":\"SnT\",\"description\":\"Interdisciplinary Centre for Security, Reliability and Trust I Uni.lu\",\"publisher\":{\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/#organization\"},\"alternateName\":\"Interdisciplinary Centre for Security, Reliability and Trust I Universit\u00e9 du Luxembourg\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.uni.lu\/snt-fr\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/#organization\",\"name\":\"SnT - Universit\u00e9 du Luxembourg I Uni.lu\",\"alternateName\":\"Interdisciplinary Centre for Security, Reliability and Trust\",\"url\":\"https:\/\/www.uni.lu\/snt-fr\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2026\/03\/03112647\/SNT_SM-Profile_1600x1600px-scaled.jpg\",\"contentUrl\":\"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2026\/03\/03112647\/SNT_SM-Profile_1600x1600px-scaled.jpg\",\"width\":2560,\"height\":2560,\"caption\":\"SnT - Universit\u00e9 du Luxembourg I Uni.lu\"},\"image\":{\"@id\":\"https:\/\/www.uni.lu\/snt-fr\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/school\/snt-lu\/\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems - SnT - Universit\u00e9 du Luxembourg I Uni.lu","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/","og_locale":"fr_FR","og_type":"article","og_title":"PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems","og_description":"Please click this link to register and connect you to the online PhD defense.\u00a0Please note that the public part of the defense starts at 3.00 p.m., please use the above-mentioned link to join the event.You may need to wait some moments until the conference e-room opens to the public.","og_url":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/","og_site_name":"SnT FR","og_image":[{"width":2560,"height":2560,"url":"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2026\/03\/03112647\/SNT_SM-Profile_1600x1600px-scaled.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Dur\u00e9e de lecture estim\u00e9e":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/","url":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/","name":"PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems - SnT - Universit\u00e9 du Luxembourg I Uni.lu","isPartOf":{"@id":"https:\/\/www.uni.lu\/snt-fr\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#primaryimage"},"image":{"@id":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#primaryimage"},"thumbnailUrl":"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2020\/08\/default-2.jpg","datePublished":"2020-08-24T08:41:23+00:00","dateModified":"2020-08-24T08:41:23+00:00","breadcrumb":{"@id":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#primaryimage","url":"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2020\/08\/default-2.jpg","contentUrl":"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2020\/08\/default-2.jpg","width":1500,"height":1125},{"@type":"BreadcrumbList","@id":"https:\/\/www.uni.lu\/snt-fr\/events\/phd-defense-automated-requirements-based-security-testing-of-web-oriented-software-systems\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.uni.lu\/fr"},{"@type":"ListItem","position":2,"name":"Interdisciplinary Centre for Security, Reliability and Trust (SnT)","item":"https:\/\/www.uni.lu\/snt-fr\/"},{"@type":"ListItem","position":3,"name":"Events","item":"https:\/\/www.uni.lu\/snt-fr\/events\/"},{"@type":"ListItem","position":4,"name":"PhD Defense: Automated Requirements-based Security Testing of Web-oriented Software Systems"}]},{"@type":"WebSite","@id":"https:\/\/www.uni.lu\/snt-fr\/#website","url":"https:\/\/www.uni.lu\/snt-fr\/","name":"SnT","description":"Interdisciplinary Centre for Security, Reliability and Trust I Uni.lu","publisher":{"@id":"https:\/\/www.uni.lu\/snt-fr\/#organization"},"alternateName":"Interdisciplinary Centre for Security, Reliability and Trust I Universit\u00e9 du Luxembourg","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.uni.lu\/snt-fr\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/www.uni.lu\/snt-fr\/#organization","name":"SnT - Universit\u00e9 du Luxembourg I Uni.lu","alternateName":"Interdisciplinary Centre for Security, Reliability and Trust","url":"https:\/\/www.uni.lu\/snt-fr\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.uni.lu\/snt-fr\/#\/schema\/logo\/image\/","url":"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2026\/03\/03112647\/SNT_SM-Profile_1600x1600px-scaled.jpg","contentUrl":"https:\/\/www.uni.lu\/wp-content\/uploads\/sites\/13\/2026\/03\/03112647\/SNT_SM-Profile_1600x1600px-scaled.jpg","width":2560,"height":2560,"caption":"SnT - Universit\u00e9 du Luxembourg I Uni.lu"},"image":{"@id":"https:\/\/www.uni.lu\/snt-fr\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/school\/snt-lu\/"]}]}},"_links":{"self":[{"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/events\/885"}],"collection":[{"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/events"}],"about":[{"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/types\/events"}],"replies":[{"embeddable":true,"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/comments?post=885"}],"version-history":[{"count":0,"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/events\/885\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/media\/886"}],"wp:attachment":[{"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/media?parent=885"}],"wp:term":[{"taxonomy":"events-topic","embeddable":true,"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/events-topic?post=885"},{"taxonomy":"events-type","embeddable":true,"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/events-type?post=885"},{"taxonomy":"organisation","embeddable":true,"href":"https:\/\/www.uni.lu\/snt-fr\/wp-json\/wp\/v2\/organisation?post=885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}