Vulnerability Coverage for Secure Configuration
This work addresses software security testing for developers and testers by providing a method to improve vulnerability detection, though it appears incremental as it adapts existing evolutionary algorithms to a new domain.
The paper tackles the problem of adequacy testing for software security by introducing vulnerability coverage, which measures the presence of vulnerability classes from the NVD, and uses evolutionary algorithms like GA and PSO with CVSS as a fitness measure to generate test inputs, resulting in the identification of vulnerabilities matching specific patterns for testing.
We present a novel idea on adequacy testing called ``{vulnerability coverage}.'' The introduced coverage measure examines the underlying software for the presence of certain classes of vulnerabilities often found in the National Vulnerability Database (NVD) website. The thoroughness of the test input generation procedure is performed through the adaptation of evolutionary algorithms namely Genetic Algorithms (GA) and Particle Swarm Optimization (PSO). The methodology utilizes the Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing the severity of computer system security vulnerabilities, as a fitness measure for test inputs generation. The outcomes of these evolutionary algorithms are then evaluated in order to identify the vulnerabilities that match a class of vulnerability patterns for testing purposes.