Periodic Reporting for period 2 - TESTABLE (TEStabiliTy pAttern-driven weB appLication sEcurity and privacy testing)
Período documentado: 2022-09-01 hasta 2024-08-31
TESTABLE addresses the challenge of building and maintaining modern web-based and AI-powered application software systems secure and privacy-friendly. TESTABLE redefines the classical secure development life-cycle (SDLC) around the concept of testability, providing new tools for: Web and AI/ML Developers, Managers, and Security Teams.
The new secure SDLC will lay the fundations to have secure and privacy-friendly application software, accessed by citizens on a daily basis.
TESTABLE has seven objectives:
1. Create a new methodology based on testability patterns
2. Improve the security and privacy of web applications by increasing their testability
3. New advanced testing techniques to overcome the limitations identified through our testability patterns
4. Novel techniques to test for privacy-related problems
5. New techniques to enable security and privacy testing of AI/ML
6. Perform large-scale experiments to assess the project metrics and methodology
7. Transfer the TESTABLE technology to industrial products and standardization bodies
The new secure SDLC will lay the fundations to have secure and privacy-friendly application software, accessed by citizens on a daily basis.
TESTABLE has seven objectives:
1. Create a new methodology based on testability patterns
2. Improve the security and privacy of web applications by increasing their testability
3. New advanced testing techniques to overcome the limitations identified through our testability patterns
4. Novel techniques to test for privacy-related problems
5. New techniques to enable security and privacy testing of AI/ML
6. Perform large-scale experiments to assess the project metrics and methodology
7. Transfer the TESTABLE technology to industrial products and standardization bodies
The TESTABLE project will materialize its vision by achieving seven objectivess. These objectives are grouped along three major dimensions: methodology, testing, and impact.
The work carried out during Year 1 has partially covered Objective 1. The first goal is the definition of the scope of the project by identifying the testing tools and techniques that will serve as a basis for the TESTABLE experiments. This goal was achieved by delivering the initial set of testabilitypatterns. The Year 1 goal of Objectives 2 and 3 is delivering an assessment of the testability patterns with respect to testing techniques identified further. We achieved that goal by identifying the building blocks of each technique and then evaluating the techniques against testability patterns. Objectives 2 and 4 were also partially covered. Through the definition of the scope of privacy testing, we have established a novel approach toward defining general-purpose privacy testing methodologies that can be later on translated into specific privacy testing tools to unveil, evaluate and quantify (if possible) privacy-related problems. We have defined some general-purpose privacy-testing methodologies that will serve as a basis for developing privacy-testing tools for concrete web applications during the second and third years of the project. Year 1 goal of Objective 2 and 5 is the definition of the scope of ML testing. In this context, we have delivered a comprehensive review of ML vulnerability and evaluation of tools. In addition,we have already identified a set of testability patterns in the ML context.
The work carried out during Year 1 has partially covered Objective 7. The Year 1 main goal is identifying and defining the initial set of case studies to extract requirements
for the activities reported. The identified case studies cover multiple indicators of relevance: eight industrial-size web applications, open-source applications, and live websites.
In the first project year, TESTABLE has achieved all the prefixed objectives in terms of measurable KPIs and scientific output:
- Published eight research papers in top tier academic venues (KPI=6-7/year)
- Delivered >150 testability pattern (KPI=40)
- Tested >5M live websites (KPI=5M)
- Discovered and disclosed >180 vulnerabilities (KPI=25)
- Released one consumer-privacy product (by NOR)
In addition, TESTABLE has initiated the dissemination plan, by kicking off the OWASP Testability Patterns for Web Applications project, under the umbrella of OWASP, with the
goal of creating a self-sustaining community for collecting, archiving, and sharing testability patterns. We have also launched the project website and expanded the digital presence of the project.
The work carried out during Year 1 has partially covered Objective 1. The first goal is the definition of the scope of the project by identifying the testing tools and techniques that will serve as a basis for the TESTABLE experiments. This goal was achieved by delivering the initial set of testabilitypatterns. The Year 1 goal of Objectives 2 and 3 is delivering an assessment of the testability patterns with respect to testing techniques identified further. We achieved that goal by identifying the building blocks of each technique and then evaluating the techniques against testability patterns. Objectives 2 and 4 were also partially covered. Through the definition of the scope of privacy testing, we have established a novel approach toward defining general-purpose privacy testing methodologies that can be later on translated into specific privacy testing tools to unveil, evaluate and quantify (if possible) privacy-related problems. We have defined some general-purpose privacy-testing methodologies that will serve as a basis for developing privacy-testing tools for concrete web applications during the second and third years of the project. Year 1 goal of Objective 2 and 5 is the definition of the scope of ML testing. In this context, we have delivered a comprehensive review of ML vulnerability and evaluation of tools. In addition,we have already identified a set of testability patterns in the ML context.
The work carried out during Year 1 has partially covered Objective 7. The Year 1 main goal is identifying and defining the initial set of case studies to extract requirements
for the activities reported. The identified case studies cover multiple indicators of relevance: eight industrial-size web applications, open-source applications, and live websites.
In the first project year, TESTABLE has achieved all the prefixed objectives in terms of measurable KPIs and scientific output:
- Published eight research papers in top tier academic venues (KPI=6-7/year)
- Delivered >150 testability pattern (KPI=40)
- Tested >5M live websites (KPI=5M)
- Discovered and disclosed >180 vulnerabilities (KPI=25)
- Released one consumer-privacy product (by NOR)
In addition, TESTABLE has initiated the dissemination plan, by kicking off the OWASP Testability Patterns for Web Applications project, under the umbrella of OWASP, with the
goal of creating a self-sustaining community for collecting, archiving, and sharing testability patterns. We have also launched the project website and expanded the digital presence of the project.
The uptake of TESTABLE methodology and advanced testing techniques will result in more secure and privacy-respecting web applications and services, in the long run drastically reducing the number of web vulnerabilities and the consequent fiinancial loss, business and citizen data leakage, etc. This will foster for more user trust toward the online consumable services of core ICT systems, accessed by billions of people everyday, even when such systems provide AI/ML models as a service or use such models in their pipeline to automate some operations. This will be made possible by the specific AI/ML testing tools and their integration with software development life-cycles as envisioned in the TSAR project. In addition, via TESTABLE's feedback loop especially targeting end-users, web consumers will get increased awareness and control on the security and privacy of the consumed services. This is particularly important on the privacy aspect: consumers will get precise information about remediations they can put in place on their side to gain more control of the privacy of their browsing in a specific web application. Overall, citizens and the entire society will experience safer and more privacy-respecting services from online shops, social networks, and other web applications of any kind.