Proposing SQL statement coverage metrics

13 years 5 months ago
Proposing SQL statement coverage metrics
An increasing number of cyber attacks are occurring at the application layer when attackers use malicious input. These input validation vulnerabilities can be exploited by (among others) SQL injection, cross site scripting, and buffer overflow attacks. Statement coverage and similar test adequacy metrics have historically been used to assess the level of functional and unit testing which has been performed on an application. However, these currently-available metrics do not highlight how well the system protects itself through validation. In this paper, we propose two SQL injection input validation testing adequacy metrics: target statement coverage and input variable coverage. A test suite which satisfies both adequacy criteria can be leveraged as a solid foundation for input validation scanning with a blacklist. To determine whether it is feasible to calculate values for our two metrics, we perform a case study on a web healthcare application and discuss some issues in implementatio...
Ben H. Smith, Yonghee Shin, Laurie Williams
Added 09 Dec 2009
Updated 09 Dec 2009
Type Conference
Year 2008
Where ICSE
Authors Ben H. Smith, Yonghee Shin, Laurie Williams
Comments (0)