The Method And Implementation Of Software Testing Based On Security Contract

Software security has been there with the software since the birth of software, and that is an unavoidable issue. As the development of software and the prosperity of internet, software security is going to be more and more prominent, more and more important, and also more and more concerned. How to solve the problems of software security, which has been the innermost echo of all relevant people.There is two ways to solve software security problems, software security development and software security testing. Software security issue can not be solved alone by software security development or software security testing, and it is best to combine the two ways to guarantee of software security greatly. In this paper, we recommend considering software security problems in the early stage of software development and do software security testing as well.In this paper, we will discuss software security testing using security contract.We make a general introduction on software security and software security testing at the beginning of this paper, including some basic things like definition, goals, characteristics and rules and so on, and the most popular methods of software security testing nowadays. Moreover, the starting point of this paper has been illustrated. And then, we discuss each aspect of software security test based on security contract in the way of methodology, including the definition of security contract and how to express it, how to generate test cases, the process of security testing etc. Finally, on the basis of all mentioned above, we designed a security software testing tool and a prototype of this tool, illustrating how to use this prototype with a test case and its effect.In terms of content, we divide security test into two phases, the design phase test and the code phase test. North Carolina State University has made great success in the former. On the basis of their work, we work on the second phase. Again, we divide the code phase test into two levels, contract level and program level. The two levels are independent with each other and related closely. On the contract level, we express security contract using XACML and the handling of all security contract related works, including contract request generation, contract request evaluation and response generation. On the program level, we generate test case according to the characteristics of program as well as contract request generated on the contract level, and then run test case in the program, and get test result at last. Moreover, introduction of security contract promote software security to a higher position and unify its appellations. The use of well-structured language XACML expressing security contract makes it much easier to software security testing automatically.