Proposing SQL Statement Coverage Metrics: Difference between revisions

Line 108:

We define two criteria for input validation testing coverage. Client-side input validation can be bypassed by attackers <sup>[7]</sup>. Therefore, we only measure the coverage of server-side code. The followings are basic terms to be used to define input validation coverage criteria.

* Target statement: A target statement (within our context) is a SQL statement which could cause a security problem when malicious input is used. For example, consider the statement

* '''Target statement''': A target statement (within our context) is a SQL statement which could cause a security problem when malicious input is used. For example, consider the statement

java.sql.Statement.executeQuery(String sql)

A SQL injection attack can happen when an attacker uses maliciously-devised input as explained in Section 2. Let '''T''' be the set of all the SQL statements in an application.

* '''Input variable''': An input variable is any variable in the serverside production code which is dynamically user-assigned and sent to the database management system. Let '''F''' represent the set of all input variables in all SQL statements occurring in the production code.

=== 3.1 Target Statement Coverage ===

Target statement coverage measures the percentage of SQL statements executed at least once during execution of the test suite.

'''Definition''': A set of input validation tests satisfies target statement coverage if and only if for every SQL statement t ∈ T, there exists at least one test in the input validation test cases which executes t.

'''Metric''': The target statement coverage criterion can be measured by the percentage of SQL statements tested at least once by the test set out of total SQL

statements.

'''Server-side target statement coverage = '''PLACEHOLDER'''

where Test(''t'') is a SQL statement tested at least once.

'''Coverage interpretation''': A low value for target statement coverage indicates that testing was insufficient. Programmers need to add more test cases to the input validation set for untested SQL statements to improve target statement coverage.

== 9. References ==

@@ Line 108: / Line 108: @@
 We define two criteria for input validation testing coverage. Client-side input validation can be bypassed by attackers <sup>[7]</sup>. Therefore, we only measure the coverage of server-side code. The followings are basic terms to be used to define input validation coverage criteria.
-* Target statement: A target statement (within our context) is a SQL statement which could cause a security problem when malicious input is used. For example, consider the statement
+* '''Target statement''': A target statement (within our context) is a SQL statement which could cause a security problem when malicious input is used. For example, consider the statement
    java.sql.Statement.executeQuery(String sql)
 A SQL injection attack can happen when an attacker uses maliciously-devised input as explained in Section 2. Let '''T''' be the set of all the SQL statements in an application.
+* '''Input variable''': An input variable is any variable in the serverside production code which is dynamically user-assigned and sent to the database management system. Let '''F''' represent the set of all input variables in all SQL statements occurring in the production code.
+=== 3.1 Target Statement Coverage ===
+Target statement coverage measures the percentage of SQL statements executed at least once during execution of the test suite.
+'''Definition''': A set of input validation tests satisfies target statement coverage if and only if for every SQL statement t ∈ T, there exists at least one test in the input validation test cases which executes t.
+'''Metric''': The target statement coverage criterion can be measured by the percentage of SQL statements tested at least once by the test set out of total SQL
+statements.
+'''Server-side target statement coverage = '''PLACEHOLDER'''
+where Test(''t'') is a SQL statement tested at least once.
+'''Coverage interpretation''': A low value for target statement coverage indicates that testing was insufficient. Programmers need to add more test cases to the input validation set for untested SQL statements to improve target statement coverage.
 == 9. References ==