A New Testability Metric
Existing methodologies for measuring the probability that a web application contains risky behaviors rely on indicators, e.g., code size and complexity or the presence of security-sensitive function calls. Lowering indicators is challenging, costly, not always necessary, or even impossible.
TESTABLE proposes a new bi-dimentional metric that not only includes existing indicators but introduces the novel dimension of testability of the code with respect to a certain class of testing techniques.
A New Decision and Action Space
The new testability metric provides a natural way to improve the security and privacy of web applications, defining a new decision and action space for development teams to improve the security and privacy of web applications gradually.
Optimize testing strategies by focusing on the problematic components, by reconfiguring existing tools, or procuring new ones
Review design and code to increase code testability, e.g., by using alternative libraries/frameworks/algorithms or refactoring the program to remove patterns preseving semantics
Deployment or development of additional defense in-depth layers when no other actions are viable
New Comprehensive and Effective Testing Techniques
Automated testing techniques cannot adequately cover the variety of threats against modern web applications and focus predominantly on discovering security vulnerabilities, regularly overlooking privacy issues. In addition, the rapid integration of machine learning components in the business logic of web applications reduces the effectiveness of traditional testing techniques.
A central concern of TESTABLE is the advancement of the web application security and privacy testing:
Design new security testing techniques and strategies
Design novel static and dynamic techniques to test for privacy-related problems
Develop new techniques to enable security and privacy testing of AI/ML