OWASP Ottawa June 21st 2023: Metamorphic Testing
Details
Welcome to our in Person Meetup at the University of Ottawa
In-Person Location:
150 Louis-Pasteur Private, Ottawa,
University of Ottawa
Room 117
Health Notice:
Based on the Ottawa Public Health Guidelines we strongly recommend that attendees wear a mask while not presenting. This will reduce the risk of transmission and protect members who may have compromised immune systems.
Live Stream:
We will continue to Live Stream on our YouTube channel. (https://www.youtube.com/channel/UCxSU-KvNmYusZEq6v4YK5Lw). Subscribe to our YouTube channel, set a reminder and you’ll get a notification as soon as we go live!
YouTube Live Stream Link: https://www.youtube.com/watch?v=GQHvkeegcwc
6:00 PM EDT Arrival, setup, mingle
6:30 PM EDT Technical Talks
- Introduction to OWASP Ottawa, Public Announcements.
- Metamorphic Testing for Web System Security.
Abstract:
Security testing aims at verifying that the software meets its security properties. In modern Web systems, however, this often entails the verification of the outputs generated when exercising the system with a very large set of inputs. Full automation is thus required to lower costs and increase the effectiveness of security testing.
Unfortunately, to achieve such automation, in addition to strategies for automatically deriving test inputs, we need to address the oracle problem, which refers to the challenge, given an input for a system, of distinguishing correct from incorrect behavior (e.g., the response to be received after a specific HTTP GET request).
In this presentation, we propose Metamorphic Security Testing for Web-interactions (MST-wi), a metamorphic testing approach that integrates test input generation strategies inspired by mutational fuzzing and alleviates the oracle problem in security testing. It enables engineers to specify metamorphic relations (MRs) that capture many security properties of Web systems. To facilitate the specification of such MRs, we provide a domain-specific language accompanied by an Eclipse editor. MST-wi automatically collects the input data and transforms the MRs into executable Java code to automatically perform security testing. It automatically tests Web systems to detect vulnerabilities based on the relations and collected data.
Speaker Bio:
Nazanin Bayati is a Ph.D. candidate at the School of EECS at the University of Ottawa and a member of the Nanda Lab. She received several academic awards, including a Ph.D. admission scholarship, an international doctoral scholarship from the University of Ottawa, and an honourable award for being an outstanding student during her master’s degree at the Iran University of Science and Technology. She was also ranked the best student among all computer engineering students at the Iran University of Science and Technology in 2019. Her research interests include automated software testing concerning security testing, applied data science and empirical software engineering.
