Proposing SQL Statement Coverage Metrics: Difference between revisions

: [2] S. W. Boyd and A. D. Keromytis, "SQLrand: Preventing SQL injection attacks," in Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, Yellow Mountain, China, pp. 292-304, 2004.  

: [3] B. Brenner, "CSI 2007: Developers need Web application security assistance," in SearchSecurity.com, 2007.  

: [4] M. Cobb, "Making the case for Web application vulnerability scanners," in SearchSecurity.com, 2007.  

: [5] W. G. Halfond, J. Viegas, and A. Orso, "A Classification of SQL-Injection Attacks and Countermeasures," in Proceedings of the International Symposium on Secure Software Engineering, March, Arlington, VA, 2006.  

: [6] W. G. J. Halfond and A. Orso, "AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks," in Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, Long Beach, CA, USA, pp. 174-183, 2005.  

: [7] W. G. J. Halfond and A. Orso, "Command-Form Coverage for Testing Database Applications," Proceedings of the IEEE and ACM International Conference on Automated Software Engineering, pp. 69–78, 2006.  

: [8] Y. W. Huang, S. K. Huang, T. P. Lin, and C. H. Tsai, "Web application security assessment by fault injection and behavior monitoring," in Proceedings of the 12th International Conference on World Wide Web, Budapest, Hungary, pp. 148-159, 2003.  

: [9] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "SecuBat: a web vulnerability scanner," in Proceedings of the 15th international conference on World Wide Web, Edinburgh, Scotland pp. 247-256, 2006.  

: [10] G. McGraw, Software Security: Building Security in. Upper Saddle River, NJ: Addison-Wesley Professional, 2006.  

: [11] J. Offutt, "Quality attributes of Web software applications," IEEE Software, vol. 19, no. 2, pp. 25-32, 2002.  

: [12] E. Ogren, "App Security's Evolution," in DarkReading.com, 2007.  

: [13] T. Pietraszek and C. V. Berghe, "Defending against injection attacks through context-sensitive string evaluation," in Recent Advances in Intrusion Detection (RAID). Seattle, WA, 2005.  

: [14] F. S. Rietta, "Application layer intrusion detection for SQL injection," in Proceedings of the 44th annual southeast regional conference, New York, NY, pp. 531-536, 2006.  

: [15] D. Scott and R. Sharp, "Developing secure Web applications," Internet Computing, IEEE, vol. 6, no. 6, pp. 38-45, 2002.  

: [16] Z. Su and G. Wassermann, "The essence of command injection attacks in web applications," in Proceedings of the Annual Symposium on Principles of Programming Languages, Charleston, SC, pp. 372-382, 2006.  

: [17] H. H. Thompson and J. A. Whittaker, "Testing for software security," Dr. Dobb's Journal, vol. 27, no. 11, pp. 24-34, 2002.

: [18] D. Willmor and S. M. Embury, "Exploring test adequacy for database systems," in Proceedings of the 3rd UK Software Testing Research Workshop, Sheffield, UK, pp. p123-133, 2005.  

: [19] H. Zhu, P. A. V. Hall, and J. H. R. May, "Software Unit Test Coverage and Adequacy," ACM Computing Surveys, vol. 29, no. 4, 1997.

: [20] http://nvd.nist.gov/

: [21] http://www.junit.org