Toan Huynh

A practical approach to testing GUI systems

GUI systems are becoming increasingly popular thanks to their ease of use when compared against traditional systems. However, GUI systems are often challenging to test due to their complexity and special features. Traditional testing methodologies are not designed to deal with the complexity of GUI systems; using these methodologies can result in increased time and expense. In our proposed strategy, a GUI system will be divided into two abstract tiers—the component tier and the system tier. On the component tier, a flow graph will be created for each GUI component. Each flow graph represents a set of relationships between the pre-conditions, event sequences and post-conditions for the corresponding component. On the system tier, the components are integrated to build up a viewpoint of the entire system. Tests on the system tier will interrogate the interactions between the components. This method for GUI testing is simple and practical; we will show the effectiveness of this approach by performing two empirical experiments and describing the results found.

An empirical investigation into open source web applications' implementation vulnerabilities

Current web applications have many inherent vulnerabilities; in fact, in 2008, over 63% of all documented vulnerabilities are for web applications. While many approaches have been proposed to address various web application vulnerability issues, there has not been a study to investigate whether these vulnerabilities share any common properties. In this paper, we use an approach similar to the Goal-Question-Metric approach to empirically investigate four questions regarding open source web applications vulnerabilities: What proportion of security vulnerabilities in web applications can be considered as implementation vulnerabilities? Are these vulnerabilities the result of interactions between web applications and external systems? What is the proportion of vulnerable lines of code within a web application? Are implementation vulnerabilities caused by implicit or explicit data flows? The results from the investigation show that implementation vulnerabilities dominate. They are caused through interactions between web applications and external systems. Furthermore, these vulnerabilities only contain explicit data flows, and are limited to relatively small sections of the source code.

Another viewpoint on evaluating web software reliability based on workload and failure data extracted from server logs

An approach of determining a website’s reliability is evaluated in this paper. This technique extracts workload measures and error codes from the server’s data logs. This information is then used to calculate the reliability for a particular website. This study follows on from a previous study, and hence, can be regarded as a “partial replication” (technically, as both studies are case studies not formal experiments, this description is inaccurate. Unfortunately, no corresponding definition exists for case studies, and hence the term is used to convey a general sense of purpose) of the original study. Although the method proposed by the original study is feasible, the effectiveness of just using a specific error type and a specific workload to estimate the reliability of websites is questionable. In this study, different error types and their usefulness for reliability analysis are examined and discussed. After a thorough investigation, we believe that reliability analysis for websites must be based on more specific error definitions as they can provide a superior reliability estimate for today’s highly dynamic websites.

Further investigations into evaluating Web site reliability

This paper explores the idea of evaluating Web site reliability based on the data from server logs. This approach requires the extraction of workload measures and the error types to be extracted from the server logs. This study follows on another study, and hence, can be regarded as a partial replication of the original study. While the approach in the original study is feasible, we have to question the effectiveness of just using the 404 error type and hit count to estimate the reliability of Web sites. Various error types are examined and their implications when used for reliability analysis are discussed. Potential issues with the workloads defined in the original study are also investigated and discussed. After a thorough investigation, we believe that reliability analysis for Web sites can and should be extended to include other error codes and workloads as they can provide a much better reliability estimate of todays highly dynamic Web sites.

Agile Development of Secure Web-Based Applications

This article outlines a four-point strategy for the development of secure Web-based applications within an agile development framework and introduces strategies to mitigate security risks commonly present in Web-based applications. The proposed strategy includes the representation of security requirements as test cases supported by the open source tool FIT, the deployment of a highly testable architecture allowing for security testing of the application at all levels, the outlining of an extensive security testing strategy supported by the open source unit-testing framework HTTPUnit, and the introduction of the novel technique of security refactoring that transforms insecure working code into a functionally equivalent secure code. Today, many Web-based applications are not secure, and limited literature exists concerning the use of agile methods within this domain. It is the intention of this article to further discussions and research regarding the use of an agile methodology for the development of secure Web-based applications.

On Spam Susceptibility and Browser Updating

This study examines the intersection between the group of users susceptible to spam and users who continue to use out-dated browsers. Specifically, it empirically determines if an association between unsafe user behaviour and the use of an out-dated browser exists. A case study is conducted wherein spam-like emails are sent to 25,000 random email users. The emails each contain a link to a webpage that records information on any visitors. The collected data is parsed and analyzed. Information was recorded on 90 distinct visitors. Analysis showed that approximately 66% of visitors were using out-dated browsers. The work implies that future research on the problem of spam should include browser version information as a dichotomous variable as a covariant in their analysis. The results suggest that greater effort must be put into educating the public about safe online behaviour and best practices, including the importance of updating software.

AIWAS: The Automatic Identification of Web Attacks System

A recent report states that 63 percent of documented vulnerabilities exist in Web applications. Hence, Web applications represent an ideal platform for malicious attackers to target. This paper presents an anomaly intrusion detection system AIWAS to help system administrators protect their Web applications from these attacks. AIWAS maps each users input into an Instance Model IM. The IM, which contains attackable features of the input, allows machine learning algorithms to classify the input as either benign or malicious. AIWAS then prevents malicious inputs from reaching the protected Web applications. A case study demonstrates the effectiveness of AIWAS against actual attacks.