Proposing SQL Statement Coverage Metrics: Difference between revisions

Line 34:

== 9. References ==

~~~~[1]~~ We counted the reported instances of vulnerabilities by using the keywords “SQL injection”~~, ~~“cross-site scripting”~~, ~~“XSS”~~, ~~and “buffer overflow” within the input validation error category from NVD~~.~~~~

[1] B. Beizer, Software testing techniques: Van Nostrand

Reinhold Co. New York, NY, USA, 1990.

~~~~[2]~~ H~~. ~~Zhu, P~~. A. V. ~~Hall~~, and J. H. R. ~~May~~, "~~Software Unit Test Coverage and Adequacy~~," ~~ACM Computing Surveys~~, ~~vol~~. 29, no. 4, ~~1997~~.~~~~

[2] S. W. Boyd and A. D. Keromytis, "SQLrand: Preventing

SQL injection attacks," in Proceedings of the 2nd Applied

~~~~[3]~~ B~~. ~~Beizer~~, ~~Software testing techniques~~: ~~Van Nostrand Reinhold Co. New York~~, NY, USA, ~~1990~~.~~~~

Cryptography and Network Security (ACNS) Conference,

Yellow Mountain, China, pp. 292-304, 2004.

~~~~[4]~~ Scott~~ and R. ~~Sharp~~, "~~Developing secure~~ Web ~~applications~~," ~~Internet Computing~~, ~~IEEE~~, ~~vol. 6, no. 6~~, pp. 38-45, ~~2002~~.~~~~

[3] B. Brenner, "CSI 2007: Developers need Web application

security assistance," in SearchSecurity.com, 2007.

~~~~[5]~~~~ E. ~~Ogren~~, "~~App Security's Evolution~~," in ~~DarkReading~~.~~com~~, ~~2007~~.~~~~

[4] M. Cobb, "Making the case for Web application

vulnerability scanners," in SearchSecurity.com, 2007.

~~~~[6]~~~~ McGraw, Software Security: Building Security in. Upper Saddle River, NJ: Addison-Wesley Professional, 2006.~~~~

[5] W. G. Halfond, J. Viegas, and A. Orso, "A Classification of

SQL-Injection Attacks and Countermeasures," in

~~~~[7]~~~~ J. Offutt, "Quality attributes of Web software applications," IEEE Software, vol. 19, no. 2, pp. 25-32, 2002.~~~~

Proceedings of the International Symposium on Secure

Software Engineering, March, Arlington, VA, 2006.

~~~~[8]~~ B~~. ~~Brenner~~, "~~CSI 2007: Developers need~~ Web ~~application security assistance~~," ~~in SearchSecurity~~.~~com~~, ~~2007~~.~~~~

[6] W. G. J. Halfond and A. Orso, "AMNESIA: analysis and

monitoring for NEutralizing SQL-injection attacks," in

~~~~[9]~~~~ H. H. Thompson and J. A. Whittaker, "Testing for software security," Dr. Dobb's Journal, vol. 27, no. 11, pp. 24-34, 2002.~~~~

Proceedings of the 20th IEEE/ACM international

Conference on Automated software engineering, Long

~~~~[10]~~~~ M. ~~Cobb~~, "~~Making the case~~ for ~~Web application vulnerability scanners~~," in ~~SearchSecurity~~.~~com~~, ~~2007~~.~~~~

Beach, CA, USA, pp. 174-183, 2005.

[7] W. G. J. Halfond and A. Orso, "Command-Form Coverage

for Testing Database Applications," Proceedings of the IEEE

and ACM International Conference on Automated Software

Engineering, pp. 69–78, 2006.

[8] Y. W. Huang, S. K. Huang, T. P. Lin, and C. H. Tsai, "Web

application security assessment by fault injection and

behavior monitoring," in Proceedings of the 12th

International Conference on World Wide Web, Budapest,

Hungary, pp. 148-159, 2003.

[9] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "SecuBat: a

web vulnerability scanner," in Proceedings of the 15th

international conference on World Wide Web, Edinburgh,

Scotland pp. 247-256, 2006.

[10] G. McGraw, Software Security: Building Security in. Upper

Saddle River, NJ: Addison-Wesley Professional, 2006.

[11] J. Offutt, "Quality attributes of Web software applications,"

IEEE Software, vol. 19, no. 2, pp. 25-32, 2002.

[12] E. Ogren, "App Security's Evolution," in DarkReading.com,

2007.

[13] T. Pietraszek and C. V. Berghe, "Defending against injection

attacks through context-sensitive string evaluation," in

Recent Advances in Intrusion Detection (RAID). Seattle,

WA, 2005.

[14] F. S. Rietta, "Application layer intrusion detection for SQL

injection," in Proceedings of the 44th annual southeast

regional conference, New York, NY, pp. 531-536, 2006.

[15] D. Scott and R. Sharp, "Developing secure Web

applications," Internet Computing, IEEE, vol. 6, no. 6, pp.

38-45, 2002.

[16] Z. Su and G. Wassermann, "The essence of command

injection attacks in web applications," in Proceedings of the

Annual Symposium on Principles of Programming

Languages, Charleston, SC, pp. 372-382, 2006.

[17] H. H. Thompson and J. A. Whittaker, "Testing for software

security," Dr. Dobb's Journal, vol. 27, no. 11, pp. 24-34,

2002.

[18] D. Willmor and S. M. Embury, "Exploring test adequacy for

database systems," in Proceedings of the 3rd UK Software

Testing Research Workshop, Sheffield, UK, pp. p123-133,

2005.

[19] H. Zhu, P. A. V. Hall, and J. H. R. May, "Software Unit Test

Coverage and Adequacy," ACM Computing Surveys, vol. 29,

no. 4, 1997.

@@ Line 34: / Line 34: @@
 == 9. References ==
-<span id="footnote"><sup>[1]</sup> We counted the reported instances of vulnerabilities by using the keywords “SQL injection”, “cross-site scripting”, “XSS”, and “buffer overflow” within the input validation error category from NVD.</span>
+[1] B. Beizer, Software testing techniques: Van Nostrand
+Reinhold Co. New York, NY, USA, 1990.
-<span id="zhuHallMay"><sup>[2]</sup> H. Zhu, P. A. V. Hall, and J. H. R. May, "Software Unit Test Coverage and Adequacy," ACM Computing Surveys, vol. 29, no. 4, 1997.</span>
+[2] S. W. Boyd and A. D. Keromytis, "SQLrand: Preventing
+SQL injection attacks," in Proceedings of the 2nd Applied
-<span id="beizer"><sup>[3]</sup> B. Beizer, Software testing techniques: Van Nostrand Reinhold Co. New York, NY, USA, 1990.</span>
+Cryptography and Network Security (ACNS) Conference,
+Yellow Mountain, China, pp. 292-304, 2004.
-<span id="scottSharp"><sup>[4]</sup> Scott and R. Sharp, "Developing secure Web applications," Internet Computing, IEEE, vol. 6, no. 6, pp. 38-45, 2002.</span>
+[3] B. Brenner, "CSI 2007: Developers need Web application
+security assistance," in SearchSecurity.com, 2007.
-<span id="ogren"><sup>[5]</sup> E. Ogren, "App Security's Evolution," in DarkReading.com, 2007.</span>
+[4] M. Cobb, "Making the case for Web application
+vulnerability scanners," in SearchSecurity.com, 2007.
-<span id="mcgraw"><sup>[6]</sup> McGraw, Software Security: Building Security in. Upper Saddle River, NJ: Addison-Wesley Professional, 2006.</span>
+[5] W. G. Halfond, J. Viegas, and A. Orso, "A Classification of
+SQL-Injection Attacks and Countermeasures," in
-<span id="offutt"><sup>[7]</sup> J. Offutt, "Quality attributes of Web software applications," IEEE Software, vol. 19, no. 2, pp. 25-32, 2002.</span>
+Proceedings of the International Symposium on Secure
+Software Engineering, March, Arlington, VA, 2006.
-<span id="brenner"><sup>[8]</sup> B. Brenner, "CSI 2007: Developers need Web application security assistance," in SearchSecurity.com, 2007.</span>
+[6] W. G. J. Halfond and A. Orso, "AMNESIA: analysis and
+monitoring for NEutralizing SQL-injection attacks," in
-<span id="thompson"><sup>[9]</sup> H. H. Thompson and J. A. Whittaker, "Testing for software security," Dr. Dobb's Journal, vol. 27, no. 11, pp. 24-34, 2002.</span>
+Proceedings of the 20th IEEE/ACM international
+Conference on Automated software engineering, Long
-<span id="cobb"><sup>[10]</sup> M. Cobb, "Making the case for Web application vulnerability scanners," in SearchSecurity.com, 2007.</span>
+Beach, CA, USA, pp. 174-183, 2005.
+[7] W. G. J. Halfond and A. Orso, "Command-Form Coverage
+for Testing Database Applications," Proceedings of the IEEE
+and ACM International Conference on Automated Software
+Engineering, pp. 69–78, 2006.
+[8] Y. W. Huang, S. K. Huang, T. P. Lin, and C. H. Tsai, "Web
+application security assessment by fault injection and
+behavior monitoring," in Proceedings of the 12th
+International Conference on World Wide Web, Budapest,
+Hungary, pp. 148-159, 2003.
+[9] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "SecuBat: a
+web vulnerability scanner," in Proceedings of the 15th
+international conference on World Wide Web, Edinburgh,
+Scotland pp. 247-256, 2006.
+[10] G. McGraw, Software Security: Building Security in. Upper
+Saddle River, NJ: Addison-Wesley Professional, 2006.
+[11] J. Offutt, "Quality attributes of Web software applications,"
+IEEE Software, vol. 19, no. 2, pp. 25-32, 2002.
+[12] E. Ogren, "App Security's Evolution," in DarkReading.com,
+.
+[13] T. Pietraszek and C. V. Berghe, "Defending against injection
+attacks through context-sensitive string evaluation," in
+Recent Advances in Intrusion Detection (RAID). Seattle,
+WA, 2005.
+[14] F. S. Rietta, "Application layer intrusion detection for SQL
+injection," in Proceedings of the 44th annual southeast
+regional conference, New York, NY, pp. 531-536, 2006.
+[15] D. Scott and R. Sharp, "Developing secure Web
+applications," Internet Computing, IEEE, vol. 6, no. 6, pp.
+-45, 2002.
+[16] Z. Su and G. Wassermann, "The essence of command
+injection attacks in web applications," in Proceedings of the
+Annual Symposium on Principles of Programming
+Languages, Charleston, SC, pp. 372-382, 2006.
+[17] H. H. Thompson and J. A. Whittaker, "Testing for software
+security," Dr. Dobb's Journal, vol. 27, no. 11, pp. 24-34,
+.
+[18] D. Willmor and S. M. Embury, "Exploring test adequacy for
+database systems," in Proceedings of the 3rd UK Software
+Testing Research Workshop, Sheffield, UK, pp. p123-133,
+.
+[19] H. Zhu, P. A. V. Hall, and J. H. R. May, "Software Unit Test
+Coverage and Adequacy," ACM Computing Surveys, vol. 29,
+no. 4, 1997.