Browse Prior Art Database

System, Method and Apparatus for Specializing Dynamic Software Testing according to Coding Hints

IP.com Disclosure Number: IPCOM000238063D
Publication Date: 2014-Jul-30
Document File: 3 page(s) / 37K

Publishing Venue

The IP.com Prior Art Database

Abstract

The crux of this invention is to apply speciazliation of the testing system according to coding trends pertaining to the underlying software system. Intuitively, a piece of code that the developer spent more time and effort on is likely more relevant from a testing standpoint (e.g., reflecting core business logic or the security layer of the application).

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 3

Method and Apparatus for Specializing Dynamic Software Testing according

      Method and Apparatus for Specializing Dynamic Software Testing according to Coding Hints

Background. Dynamic testing of software systems is, by definition, an open challenge. The
analysis tool needs to balance between performance and coverage, where these two

considerations are obviously in conflict. The more effort the analysis expends on exposing bugs,
the slower it runs and the worse it scales. On the other hand, optimizing the analysis for performance would likely affect coverage adversely.

The main question, therefore, is how to strike an effective balance between coverage and
performance. This requires a principled and effective strategy for selecting which of the available tests to discharge against the subject software system. If extensive pruning is possible, then the testing system can start from a rich and diverse population of payloads and still manage to scale, thereby ensuring satisfactory coverage. Background art. The most immediate work that comes to mind within the scope defined above
is the XSS Analyzer system [XSSAnalyzer]*, which balances between performance and

coverage by applying online pruning of the payload space. Beyond XSS Analyzer*, there are also
more simple probing algorithms, e.g. the AppScan Standard [AppScanSTD]* algorithm for
pruning cross-site scripting (XSS)* payloads based on a check whether a benign probe value is reflected in the response from the website.

Summary. The main idea of this invention is to apply specialization of the testing system
according to coding trends pertaining to the underlying software system. Our meaning

with

specialization is that the testing system adapts, or customizes, its behavior per the specific
application at hand. Our meaning with coding trends is that the model the testing system builds
of the application is in terms of how its code was written. Intuitively, a piece of code that the
developer spent more time and effort on is likely more relevant from a testing standpoint (e.g.,
reflecting core business logic or the security layer of the application).

Description. At the heart of our specialization technique lies the idea, briefly stated

above, that
complicated/subtle/critical code is code that the testing system should examine more closely.

However, there is no absolute criterion for what constitutes critical code, and the analysis is
assumed to be fully/largely automated.

Existing frameworks provide many reusable building blocks - e.g. to develop UI

System, ,


Page 02 of 3

components,

web functionality like serialization and backend storage, mobile apps, etc - and so the

developer can concentrate more time and effort on unique aspects of the application at hand...