Browse Prior Art Database

System, Method, and Apparatus for Optimizing Black-Box Testing via Natural Language Descriptions of the Target System with Applications in Security Testing

IP.com Disclosure Number: IPCOM000239542D
Publication Date: 2014-Nov-14
Document File: 3 page(s) / 72K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method for the configuration of black box testing tools (e.g., dynamic security analysis tools). The user describes the architecture and makeup of the target application using natural language, or alternatively refers the testing system to an existing set of documents that describe the system, and then a cognitive computing module converts the natural description into a formal configuration.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 3

System, Method, and Apparatus for Optimizing Black-Box Testing via Natural Language Descriptions of the Target System with Applications in Security Testing

Software systems are becoming increasingly complex. A typical commercial-grade application likely consists of multiple abstraction layers, mapping concerns such as a user interface (UI), business logic, storage, security, etc. into different aspects of the code, as well as multiple modules, delegating functionalities such as storage, serialization, and network to reusable third-party libraries.

Testing techniques in general, and security testing as a notable example, can benefit greatly from information on the architecture and internal design of the subject application. Examples of this from the domain of Web -application security testing include framework-specific vulnerabilities, testing biases, and Representational State Transfer (REST) Application Programming Interfaces (APIs).

The existing practice in software testing (i.e. specifically, security testing) is to expose to the user different parameters, such as usage of framework and/or the deployment environment, as configuration items. Existing tools have dozens (if not more) of configuration screens, which contain hundreds of different configuration parameters. By default, all of the application-specific configuration items are set to a default value. The user can, and is often in fact forced to, improve the quality of scanning by setting appropriate values for some of the configuration items.

To mitigate the burden resulting from manual specification of many configuration items , certain tools support limited fingerprinting capabilities. This enables automatic detection of handshake protocols, Web containers, etc., though fingerprinting is heuristic in nature, and may result in false hints. Naturally, deep and involved aspects of the application, such as code frameworks integrated into it at compile time or the boundaries between business logic and other aspects, are difficult if not impossible to detect using black-box fingerprinting techniques.

A system or method is needed to significantly reduce the burden and errors resulting from manual configuration of the testing tool ,

while acknowledging that fully automatic mining an effective configuration is difficult, if not impossible, given the complexity of modern software and the black-box setting.

The novel idea is to utilize recent breakthroughs in cognitive computing. The user provides a natural account of the design and characteristics of the system at hand, and the cognitive computing algorithm, possibly after some additional question-and-answer interaction with the user, reduce...