Presentation is loading. Please wait.

Presentation is loading. Please wait.

Testing Electronic Health Records Applications with a Security Test Pattern Developed Using Empirical Data Ben Smith Motivation Knowledge gap in software.

Published bySheryl Dean Modified over 5 years ago

Similar presentations

Presentation on theme: "Testing Electronic Health Records Applications with a Security Test Pattern Developed Using Empirical Data Ben Smith Motivation Knowledge gap in software."— Presentation transcript:

1 Testing Electronic Health Records Applications with a Security Test Pattern Developed Using Empirical Data Ben Smith Motivation Knowledge gap in software security testing expertise. Need vehicle to capture and disseminate knowledge about how to attack systems that novices can understand. Introduced and evaluated a pattern catalog of software security test patterns. Contributions Introduced the process for empirical development of test patterns using a grounded theory approach. Developed first six test patterns that target the CWE/SANS Top 25. Applied pattern catalog to 284 public requirements for EHR systems. Created 137 black box test cases, and ran these on five EHRs for 685 test executions. Thirty-seven percent (37%) or 253 of the tests revealed vulnerabilities. Different vulnerabilities than static analysis/automated penetration testing. Security Test Pattern Components Keywords Targeted Vulnerability Types CIA Properties Procedure Template Expected Results Template Example Procedure Example Expected Results User Study Conducted a study of 47 novices applying the six patterns on six requirements from the public requirements document. Created a consensus using a panel of seven experts. Novices make similar decisions about which patterns are applicable as experts do. Novices spent less than 18 minutes parsing the requirements and produced on average 15 tests. Novices reported that they thought the exercise would be useful for security. - still less text - make a handout with the pattern on it and maybe just have the component headers - “security testing knowledge transfer” Highlight the lack of expertise in the common developer/tester population. - remove the icons - show STPI with a pre-parsed requirement - indicate that we empirically-developed the patterns to target the CWE/SANS Top 25 - say what the top 25 actually are - remove the problem/object/approach/evaluation stuff and just have the highlights - make andy’s chart: “Requirement” -> a) actor (icon), b) action (icon), c) object (icon) -> test cases - make sure a list of all the patterns is still there - pattern -> “security test pattern” - highlight the fact that I evaluated it. - put the number of failures in addition to the percentage Make sure there is a tracing from the tool to the example pattern.

Download ppt "Testing Electronic Health Records Applications with a Security Test Pattern Developed Using Empirical Data Ben Smith Motivation Knowledge gap in software."

Similar presentations

Indian Health Service Office of Information Technology RPMS Suicide Reporting Form.

Indian Health Service Office of Information Technology RPMS Suicide Reporting Form.
1 Integration Testing CS 4311 I. Burnstein. Practical Software Testing, Springer-Verlag, 2003.

1 Integration Testing CS 4311 I. Burnstein. Practical Software Testing, Springer-Verlag, 2003.
1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 6: Navigation in OBIEE – Completing the Tour of.

1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 6: Navigation in OBIEE – Completing the Tour of.
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Mgt 240 Lecture MS Excel: Decision Support Systems September 16, 2004.

Mgt 240 Lecture MS Excel: Decision Support Systems September 16, 2004.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.

High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.
Measuring (and Driving) the Value of Training Bruce Winner, Los Rios CCD – Government Training Academy Bruce blogs to the training community at - www.GetResultsFromTraining.com.

Measuring (and Driving) the Value of Training Bruce Winner, Los Rios CCD – Government Training Academy Bruce blogs to the training community at -
How to Chart a Medical Records Request in the PHI Log

How to Chart a Medical Records Request in the PHI Log
By: Erin Scott. Step One: Click on the “insert” tab located on the menu bar.

By: Erin Scott. Step One: Click on the “insert” tab located on the menu bar.
Mgt 20600: IT Management & Applications Decision Support Systems Tuesday April 18, 2006.

Mgt 20600: IT Management & Applications Decision Support Systems Tuesday April 18, 2006.
The United Nations Demographic Yearbook: In Need of Improvement Expert Group Meeting to Review the United Nations Demographic Yearbook System 10-14 November.

The United Nations Demographic Yearbook: In Need of Improvement Expert Group Meeting to Review the United Nations Demographic Yearbook System November.
Functional Testing Test cases derived from requirements specification document – Black box testing – Independent testers – Test both valid and invalid.

Functional Testing Test cases derived from requirements specification document – Black box testing – Independent testers – Test both valid and invalid.
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.

Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Building a Foundation for the Future: Junior Achievement Entrepreneurship Programs Entrepreneurship Education Forum Columbus, Ohio November 13, 2010 John.

Building a Foundation for the Future: Junior Achievement Entrepreneurship Programs Entrepreneurship Education Forum Columbus, Ohio November 13, 2010 John.
SCOTT KURODA ADVISOR: DR. FRANZ KURFESS Encouraging Secure Programming Practice in Academia.

SCOTT KURODA ADVISOR: DR. FRANZ KURFESS Encouraging Secure Programming Practice in Academia.
Stephanie Jones, RN, PhD Student Arthur Labatt School of Nursing University of Western Ontario Lorie Donelle, RN, PhD Arthur Labatt School of Nursing University.

Stephanie Jones, RN, PhD Student Arthur Labatt School of Nursing University of Western Ontario Lorie Donelle, RN, PhD Arthur Labatt School of Nursing University.
From Use Cases to Test Cases 1. A Tester’s Perspective  Without use cases testers will approach the system to be tested as a “black box”. “What, exactly,

From Use Cases to Test Cases 1. A Tester’s Perspective  Without use cases testers will approach the system to be tested as a “black box”. “What, exactly,
Dr. David Mowat June 22, 2005 Federal, Provincial & Local Roles Surveillance of Risk Factors and Determinants of Chronic Diseases.

Dr. David Mowat June 22, 2005 Federal, Provincial & Local Roles Surveillance of Risk Factors and Determinants of Chronic Diseases.

Similar presentations

Ads by Google