World Academy of Science, Engineering and Technology
International Journal of Computer and Information Engineering
Vol:7, No:6, 2013
Comparative Analysis and Evaluation of Software
Vulnerabilities Testing Techniques
Khalid Alnafjan, Tazar Hussain, Hanif Ullah, and Zia ul haq Paracha
Abstract—Software and applications are subjected to serious and
damaging security threats, these threats are increasing as a result of
increased number of potential vulnerabilities. Security testing is an
indispensable process to validate software security requirements and
to identify security related vulnerabilities. In this paper we analyze
and compare different available vulnerabilities testing techniques
Open Science Index, Computer and Information Engineering Vol:7, No:6, 2013 publications.waset.org/10496.pdf
based on a pre defined criteria using analytical hierarchy process
(AHP). We have selected five testing techniques which includes
Source code analysis, Fault code injection, Robustness, Stress and
Penetration testing techniques. These testing techniques have been
evaluated against five criteria which include cost, thoroughness, Ease
of use, effectiveness and efficiency. The outcome of the study is
helpful for researchers, testers and developers to understand
effectiveness of each technique in its respective domain. Also the
study helps to compare the inner working of testing techniques
against a selected criterion to achieve optimum testing results.
Keywords—Software Security, Security Testing, Testing
techniques, vulnerability, AHP.
I. INTRODUCTION
S OFTWARE testing is the process of analyzing a software
item to detect the differences between existing and
required conditions (that is, bugs) and to evaluate the features
of the software item [6], [7]. In the process of testing software
item is passed under specified conditions to observe it for
particular aspects. There are two main goals of software
testing one objective is that to probe the software for bugs so
that these can be removed, the second objective is to ensure
that the software works according to specifications. Software
errors and defect give rise to vulnerabilities, which is the main
cause of software failure. Software assurance is defined by
department of defense DOD as “The level of confidence that
software functions as intended and is free of vulnerabilities,
either intentionally or unintentionally designed or inserted as
part of the software” [22]. Most of the software contains flaws
and errors that are often exploited to compromise the functions
and security of the software. Software security assurance is an
evolving subject and is much less mature than software quality
assurance and software safety assurance. Software security
assurance objective is to ensure the confidentiality, integrity
and availability of software system by following different
Khalid Alnafjan, Tazar Hussain, and Hanif Ullah are with the National
Institute of Standards and Technology, Boulder, CO 80305 USA (e-mail:
[email protected]
,
[email protected]
,
[email protected]
).
Zia ul haq Paracha is with the Department of Management Information
System, college of Business Administration King Saud University, P.O. Box
51178 Riyadh 11543 Saudi Arabia (e-mail:
[email protected]
).
International Scholarly and Scientific Research & Innovation 7(6) 2013
techniques and mechanism throughout the software
development life cycle SDLC. Security testing activities are
performed to validate security requirements and identify
potential vulnerabilities. Standard software processes
identifies all types of related to software quality attribute and
software functional aspects but security vulnerabilities can
also be discovered through standard testing process. The
objective of the security testing is to assess security properties
and behavior of the software as it interact with the external or
internal entities interact regardless of the functionality that
software implements. We choose five types of functional
testing techniques which include both black box and white box
approaches, these includes Source code analysis, Fault code
injection testing, Robustness testing, Stress testing, and
Penetration testing techniques. These techniques are first
analyzed to understand how they work and how these can be
used to identify security related vulnerabilities and bugs in
software systems. Than these techniques have been compared
based on a criteria which we think will help the software
security testers and researches to select the optimum tool in
particular scenario. Multi criteria decision support system
MCDM based on analytical hierarchy analysis AHP has been
used to evaluate the selected testing techniques. AHP is a
structured based on mathematics and intuitive developed by
Thomas L. Saaty [14] in 1970s and has been extensively used
in fields such as government, business, industry, healthcare,
and education. AHP enables the evaluation of inconsistency of
the decision-maker known as consistency check,
inconsistencies below 10% are accepted for matrices of the
range n≥5 (5% for n=3 and 9% for n=4). Otherwise, the
judgments made must be revised or the matrix discarded [3].
The study also helps to know the relationships of known
vulnerabilities and how particular testing techniques deal with
it.
II. SOFTWARE SECURITY AND TESTING
The presence of Software errors during software
development life cycle (SDLC) that leads to software
vulnerabilities is very common and inevitable. Discovering
vulnerabilities is a favorite activity of attackers who want to
use the software systems for their own benefits. In 2008, 6058
vulnerabilities were catalogued by CERT [1] NIST national
vulnerability database [5] and common vulnerability
management [11] contain data about software flaws and
errors. These statistics indicate the fact how software can be
used to compromise the system if an attacker attacks with evil
687 ISNI:0000000091950263
 World Academy of Science, Engineering and Technology
International Journal of Computer and Information Engineering
Vol:7, No:6, 2013
intents. The objective of the software testing is to cause
failures in order to make fault visible [7] so that these faults
can be removed. Security testing emphasizes what the
software should do in relation to confidentiality, integrity and
availability but the emphasis on “what the software should not
do” is much more unlike traditional testing. Security testing
must ensure to consider all the security requirements and these
cannot be dropped unlike traditional testing requirements.
Software testing helps contributes towards developing secure
software by testing insecure programming practices and
testing can also identify flaws which are not visible at
architecture level. Therefore traditional software testing can be
used with security in mind, based on the knowledge about
software internals the software testing is of two major types
that is black box and white box testing.
A. Black Box Testing
Open Science Index, Computer and Information Engineering Vol:7, No:6, 2013 publications.waset.org/10496.pdf
In this type of testing the software code is considered as
“black box” and the tester has normally very little or no
knowledge of system under test or when the source code and
internal mechanisms of the system are not available. Black
box security tests are performed on executable software and
used a variety of inputs to simulate the behavior of attackers
and other misusers. In this regard black box testing plays a
very vital role to ensure input validation and checking it also
identifies some serious security vulnerabilities e.g. Sql
injection, buffer overflows and cross site scripting etc.
Fig. 1 Black Box testing process
Black box testing activities are carried out throughout the
SDLC and help to test security in following areas. Black box
tests are performed to evaluate the behavior of COTS,
executables packages, it also examine the interaction of the
software with the environment such as attackers and external
entities. This type of test is not possible with white box
mechanism. Uncover security issues that arise as a result of
missing modules, packages and files. Discover potential
security issues resulting from boundary conditions.
B. White Box Testing
The type of testing that takes the internal mechanism of the
system into account and is performed when the source is
available. Because the white box testing has access to the
source code in internal mechanism it has capabilities to
identify coding errors, data flow, and error handling etc to
evaluate software for security requirements. Static and
dynamic source code analysis is the core activities performed
as part of white box testing. To perform white box security
testing one must have the knowledge about how to develop
secure and avoid insecure systems, how to think like an
attacker.
International Scholarly and Scientific Research & Innovation 7(6) 2013
Fig. 2 White box testing process
White box testing helps to ensure software security and
identify some common and serious errors.
III. SECURITY TESTING TECHNIQUES
We have selected the five major types of testing techniques
that performs crucial role in security enhancements, both
white box and black box techniques are included in the
selected techniques. Although some of the techniques behaves
as hybrid, the following section analyze the selected
techniques and terms of its working mechanism, performance,
types of security flaws identified, and effectiveness.
A. Source Code Analysis
Source code analysis is the process of analyzing the source
code, before compilation (static analysis) or analyzing the both
source code and executable (dynamic analysis), for coding
errors, insecure practices and vulnerable code. In manual code
analysis the tester inspect the source code for vulnerable code
such as finding strcpy () functions without the use of a tool.
But modern security testing analyzers are much more
sophisticated in term of identifying bugs, it also reduces false
alarms. In dynamic source analysis the compiled executable is
run and feed as input for testing the program variables in order
to detect code behavior. Depending on the type of testing tool
some errors and discrepancies are identified but some are
harder to be identified.
Source code analysis tools [9], [10] has the ability to
examine calls in the argument to insecure library functions,
e.g. the C/C++ testing tools have the ability to preprocess the
source code which enable the analyzing tool to see the same
code as seen by compiler.
Bound detection and checking error functionality enable
these tools to detect vulnerabilities due to integer overflow,
integer truncation and unsigned underflow etc.
To detect vulnerabilities associated with incorrectly
implemented sequences of operations, security analyzers often
look for specific library function calls and print a warning
about potential security problems associated with those
functions.
Pointer aliasing is a static analysis that tries to solve the
problem when two pointers pointing point to the same data as
explained in [9], [10]
B. Fault Code Injection
In this type of testing the bugs are intentionally injected into
the code, the code is then compiled and executed so the tester
can determine how software reacts when it is forced in
anomalous states. Fault code injection increases the robustness
and reliability by identifying incorrect use of pointers and
arrays, the presence of dangerous calls and race condition.
688 ISNI:0000000091950263
 World Academy of Science, Engineering and Technology
International Journal of Computer and Information Engineering
Vol:7, No:6, 2013
This type of testing is used in situation where high assurance
is required against well known serious vulnerabilities but is a
complex process because every scenario cannot be simulated.
Fault propagation analysis it is not only observed that how
code behaves with injected faults but it is also the propagation
of the fault (in the source code) is analyzed through fault trees.
This enables the tester to determine the impact of a fault on a
module, and system as a whole. Interface propagation analysis
enables the tester to determine how a fault in one component
affects other component of the system.
C. Stress Testing
Also known as load or performance testing, in stress testing
the system is passed through stressful states to expose
vulnerabilities arises as a result of when software are exposed
to maximum design load and beyond it.
D. Software Penetration Testing
Open Science Index, Computer and Information Engineering Vol:7, No:6, 2013 publications.waset.org/10496.pdf
Penetration techniques have long been used in network
security but this testing technique has also made it place to
penetrate software systems for faults and bugs. Software
penetration testing is the type of black box which focuses on
vulnerabilities having external access. The idea of penetration
testing is more like ethical hacking that is “attempt to
compromise the security of the systems under test”.
Penetration testing helps to expose complex vulnerabilities
e.g. vulnerabilities arises as a result of inter and intra
component communication or communication of software to
its resources and environment. In software security one of the
vital activities is to increase the test coverage and penetration
tests can be more extensive in its coverage. Penetration testing
currently faces two major challenges that is a push towards
automation and minimizing the cost in term of labor time
associated with test cases. Although in penetration testing the
systems is seen as an outside attacker might see it and is
therefore consider as black box mechanism but it can also be
used in white box fashion.
E. Vulnerability Scanning
In this type of testing the software is scanned for well
known vulnerabilities based on repository of “signatures” to
observe software’s behavior associated with attack pattern.
Host based scanners sophisticatedly analyzed the internal of
the system such as the insecure configuration, while network
based scanners are good to analyzed attack carried out from
outside remotely. Vulnerabilities scanners exercise
vulnerabilities on the target system, it has the ability to probe
every network service and applies all available “signatures”.
Scanners observe the application for vulnerabilities like buffer
overrun, cookie manipulation, Sql injection, and cross site
scripting etc. vulnerability scanner works in black box manner
and can be used only against small set of attack pattern.
IV. BACKGROUND STUDY
Testing is an essential process to evaluate the quality of
software, software community has discussed the topic from
different perspectives including the cost of testing, testing
International Scholarly and Scientific Research & Innovation 7(6) 2013
methodologies, and limitation of testing process. But less
research work has been carried out in the field of security
testing to ensure software assurance and reliability. Reijo
Savola and Kaarina Karppinen [15] have used security testing
for telecommunication systems and argued that security
requirements are within the focus of the information security
testing process. Besides this security testing has been used in
literature in various domains [12], [17], [16]. But the
following section of related study summarized points related
to our work, this data has been used for evaluation of the
techniques we have identified earlier.
A. Data Collected for Analysis
Literature review and research explains various testing
techniques in terms of effectiveness, coverage, efficiency,
security testing capabilities, pros and cons and cost etc. the
following section summarized the major observations about
testing techniques gained from literature, experience and
research.
• White box techniques (source code analysis, fault code
injection) have been proved better in term of detecting
vulnerabilities (sql injection, buffer overflow) [22].
However black box techniques such as penetration testing
and vulnerability scanning are better in term of cost (time
and resources consumption).
• Fault injection (white box) techniques can be used to
increase the coverage of hard to reach parts of the
program [4], [20].
• The black box techniques (penetration tests) have been
proved better to identify interfaces errors, faulty
functions, data structure errors with less cost and
specialized skills [8], [19].
• Penetration testing has no direct access to source code so
therefore have limited in term of coverage analysis [21].
• The experimental study in [2] indicated that the coverage
analysis for source code analysis is higher than
penetration techniques however penetration techniques
have less false positives.
• Insecure coding, or coding errors are the main source of
software exploitation but source code analysis and fault
injection mechanism can be used to quickly identify
coding errors. Also penetration testing can be modified in
white box manner to reduce time consumption.
• Dynamic and static analysis and fault injection techniques
required more time consumption, required specialize
skills.
• Stress testing and penetration techniques concentrate on
checking and validation, SQL insertion attacks, injection
flaws, cross-site scripting attacks, buffer overflow
vulnerabilities [20].
V. METHODOLOGY AND IMPLEMENTATION
Multi-criteria evaluation is a fundamental step of the
rational decision-making process in order to gain reliable
information on strengths, weaknesses and overall utility of
each option. The purpose of our study is to identify and
689 ISNI:0000000091950263
 World Academy of Science, Engineering and Technology
International Journal of Computer and Information Engineering
Vol:7, No:6, 2013
analyze the strength and weaknesses of security testing
techniques in particular direction. The process is several steps
including selecting a goal, list criteria/subcriteria, determining
the alternatives, assignment of priorities, calculation of
weights, results and discussions. These steps have been
explained in the following sections.
A. Selecting Goal and Objectives
The goal of this work is to analyze the role security testing
techniques to base on criteria/subcriteria to help the testers in
applying these techniques according to requirements
efficiently.
B. Criteria/Subcriteria to Evaluate Testing
Software tester and professionals have different option
available to test software at different level of abstraction;
depending on the security requirements of the system testers
normally prioritize the security tasks. We have selected five
Open Science Index, Computer and Information Engineering Vol:7, No:6, 2013 publications.waset.org/10496.pdf
key criteria (standard) to evaluate software testing
mechanisms against them, the following section briefly
introduce those criteria and why they are important.
1. Cost
To use a particular technique it is vital to understand its cost
in term of skills required, labor time to develop and execute
test cases, tool and utility support and integration. We have
two subcriteria 1. Skills required 2. Testing time, the
subcriteria contribute to main criteria.
2. Thoroughness
Thorough check that every segment of software has been
tested is required to secure it, it also encompasses that every
possible interaction during runtime has been covered. White
box technique offers the opportunity to be more through as it
can see inside the code. We have divided this criteria into two
subcriteria; 1. Coverage 2. Completeness. Coverage or code
Fig. 3 Hierarchal Block diagram for criteria and subcriteria
Each alternative has been evaluated against criteria and
subcriteria and the priorities have been assigned in the form of
weights. We have assigned priorities to criteria/subcriteria
against each alternative by using the previous studies results
and the results obtained from the outcome of the testing tools
of selected techniques. The basis of assigning priorities has
International Scholarly and Scientific Research & Innovation 7(6) 2013
coverage analysis is an important measurement of the
effectiveness of a testing tool. Code coverage determines the
degree of covered paths, flow and statement during a test
process. Completeness means that the entire code or modules
have been covered through test cases and is closely relevant to
code coverage.
3. Ease of Use
Particular support or facilities provided by testing technique
and its tools to ease the process testing. We have to have
subcriteria integration means that how tightly a testing
technique is integrated to the application under test. Platform
and tool support is another relevant sub criterion to denote
how well particular technique support is available for different
platforms and also the degree of interoperability with other
testing techniques.
4. Effectiveness
In our scenario security testing effectiveness means how
well the security bugs have been identified by particular
testing technique or the number faults identified by the
technique. According to Weyuker [18] “effectiveness of a test
technique is only possible to measure if you can compare two
techniques for the same set (i.e. software), but the result is not
general”
5. Efficiency
Denotes the testing consumed resources [13] such as time,
testing resources, the amount of code required.
Assigning Priorities
The priorities are assigned to criteria subcriteria and
alternative on the basis of the Table I. Priorities are the
numbers assigned to criteria, subcriteria associated with an
alternative.
been discussed in the background study of this paper.
Calculated Local and global weights for the main criteria and
subcriteria in the through MCDM tool has been shown in
Table II.
690 ISNI:0000000091950263
 World Academy of Science, Engineering and Technology
International Journal of Computer and Information Engineering
Vol:7, No:6, 2013

TABLE I
PRIORIT
TIES WITH THEIR IMPORTANCE
Intensiity Imporrtance Inttensity Im
mportance
1 Equal Im
mportance 6 Strongg Importance
plus
2 Weak Im
mportance 7 Veery Strong
Im
mportance
3 Modeerate 8 Veery Strong
Imporrtance Impoortance plus
4 Modeerate 9 E
Extreme
Importannce plus Im
mportance
5 Strong Im
mportance

TABLE II
LOC
CAL AND GLOBALL WEIGHTS FOR CRITERIA AND SUBBCRITERIA
Cost T
Thoroughness E
Ease of Use Effectiveness Efficiency
E
L=111.4% G==11.4% L
L=34.6% G=34.6% L 8.2% G= 8.2%
L= % L= 42.1% L 3.8%
L=
Skillss Required Teesting time C
Coverage Coompleteness Inntegration Toool support G
G= 42.1% G 3.8%
G=
L=255.0% L==75% L 80.0%
L= L== 20% L
L=75% L== 25%
G=2.9% G
G=8.6% G 27.7%
G= G== 6.9% G
G=6.1% G== 2.0%
Open Science Index, Computer and Information Engineering Vol:7, No:6, 2013 publications.waset.org/10496.pdf

TABLE IIII
EVALUA
ATION IN CONTEXTT OF: EVALUATIN NG AND COMPARIING SOFTWARE SECURITY TESTING G TECHNIQUES
Thooroughness vs. Effectiveness vs.
v Cost vs. Ease Effectiveeness Effectivveness vs.
Efficiency Thoroughnesss of Use vs. Coost Easee of Use
4:1 2:1 3:1 4:1 5:1
Cost vs. Ease of Use vss. Thoroughnness Effectiveeness Thorooughness
Efficiency Efficiency vs. Costt vs. Efficiiency vs. Ease of Use
3:1 3:1 4:1 4:1 5:1

VI. RESULTTS AND DISCUSSSION

This sectionn presents thee results obtaained using MCDMM
syystems, fig. 4 shows the aalternative rannking against criteria
annd by observiing the chart given in thee figure somee useful
innformation coould be obtaained. For seecurity vulneerability
efffectiveness and
a thoroughhness source code analyssis has
toopped the list, but the relativve cost of the source code analysis
a
is also relativeely high. Vuulnerability sccanning the type t of
testing which hash been provved as a less effective butt also it
Fig. 5 Alternnative comparisson
coonsumes less resource. In tterm if effectiveness and cooverage
annalysis Penetrration testing and fault codde injection methods
m Fig. 6 illustrrates the pairr wise compaarison of ourr main
arre at number two and three respectivelyy but the costt of the criiteria in perceentage, using ppair wise com
mparison the relative
r
faault injection method
m is relaatively high. im
mportance or preference
p off one criterioon over anothher has
been expressedd. Because itt is an impo ortant in testting to
meeasure the number
n of ddefects per test
t case, theerefore
efffectiveness haas comparativvely more im mportant thann other
criiteria.

Figg. 4 Alternativee ranking againsst criteria

Fig. 5 showss the alternativve comparisonn in a diagonall graph,

thhe figure highhlight the factt that source code analysis being
m
more twisted toowards effectiiveness and thhe cost of fauult code
Fig. 6 Criteria
C weight ppreferences and
d percentage
innjection is relaatively on highher degree.
Fig. 7 depiccts the graph for effectiveness, statiic and
dyynamic sourcee code analyysis is thirty degree higheer than

International Scholarly and Scientific Research & Innovation 7(6) 2013 691 ISNI:0000000091950263
 World Academy of Science, Engineering and Technology
International Journal of Computer and Information Engineering
Vol:7, No:6, 2013

vu
ulnerability scanning.
s Pennetration testing and faullt code [7] IEEE (1990). IEEE Standaards Collection: Glossary of Software S
Engineering Terminology,
T IEEEE Standard 610.112-1990.
in
njection metho
ods score is alsso good for efffectiveness. [8] Khan, M. A. and M. Sadiq (2011). Analysiss of black box software
testing techniiques: A case study. Current Trends in Infoormation
Technology (C CTIT), 2011 Interrnational Confereence and Workshoop on.
[9] Lavenhar, C. M. M a. S. R. "Codde Analysis Tools - Overview." RetrievedR
02/06/2012, from at https://buildsecur
h rityin.us-
cert.gov/bsi/arrticles/tools/code//263-BSI.html.
[100] Lavenhar, S. (2006). "code Analysis." Retrieved 01/06/20112, from
https://buildsecurityin.us-cert.ggov/bsi/articles/beest-practices/codee/214-
BSI.html.
[111] Mitre. (2012). "Common vulneerability managm ment database." Retrieved
R
10/08/2012.
[122] Romero-Marioona, J., H. Ziv, et al. (2010). Increasing Trustwo orthiness
through Securrity Testing Support. Social Comp puting (SocialCom m), 2010
IEEE Second International
I Connference on.
[133] Rothermel, G. G and M. J. Haarrold (1996). "A Analyzing regresssion test
Fig.. 7 Alternative ranking
r for Effe
fectiveness selection techhniques." Softwaare Engineering, IEEE Transacttions on
22(8): 529-5511.
[144] Saaty, T. (19880). The Analyticc Hierarchy Proceess. New York, McGraw M
VII. CONCLUSION Hill.
Software tessting plays ccrucial role to ensure so oftware [155] Savola, R. annd K. Karppinenn (2007). Practiical Security Teesting of
Open Science Index, Computer and Information Engineering Vol:7, No:6, 2013 publications.waset.org/10496.pdf

Telecommuniccations Softwaree--A Case Stud dy. Telecommun nications,

quuality assuran nce but in th his paper we have analyzed five 2007. AICT 20007. The Third A Advanced Internattional Conferencee on.
testing techniqu ues to check itts application to software security. [166] Shahriar, H. anda M. Zulkerninne (2009). Autom matic Testing of Program
Eaach testing technique identifies various typ pes of Security Vuulnerabilities. C Computer Softw ware and App plications
Conference, 20009. COMPSAC '09. 33rd Annuall IEEE Internatio onal.
vuulnerabilities in
i software acccording to itss own way and logic.
[177] Thomas, L., X. X Weifeng, et all. (2011). Mutatiion Analysis of Magento M
Th he study carrried out in thiis paper use MCDM
M methhod and for Evaluatinng Threat Moddel-Based Securrity Testing. Computer C
to
ool to evaluatee each alternattive and the sttudy results sh how the Software andd Applications C Conference Worrkshops (COMPSACW),
strrength and weaknesses of each techniqu ue. According g to this 2011 IEEE 35th Annual.
[188] Weyuker, E. J. J (1993). Can we measure softwaare testing effecttiveness?
stuudy the most effective techhnique to iden ntify and coveer more Software Metrrics Symposium, 1993. Proceeding gs., First Internatiional.
coode for vulnerrabilities and bugs
b is both source
s code annalyses. [199] Will Radoseviich , C. C. M. (20009). "Black Box x Security Testingg Tools."
Peenetration testting and faultt code injectio on also effecttive but Retrieved 3
31/05/2012, 20012, from https://buildsecur
h rityin.us-
cert.gov/bsi/arrticles/tools/blackk-box/261-BSI.htm ml.
faault code injecction is more time
t consuming and needs special [200] Wyk, G. J. a. K. v. (2009). "W White Box Testingg." Retrieved 31/005/2012,
skkills. Vulnerabbility is the weeakest one in term
t of effecttiveness 2012, froom https://buuildsecurityin.us--cert.gov/bsi/articcles/best-
buut require lesss skills, time and resourcess. The results of this practices/whitee-box/259-BSI.httml.
[211] Wyk, K. R. v. (2007). "Adaapting Penetratioon Testing for Software S
stuudy can be used
u by testerrs before deveeloping test cases
c to Development Purposes." R Retrieved 03/006/2012, 2012,, from
opptimize testinng and reducee the security y risk with op ptimum https://buildsecurityin.us-cert.ggov/bsi/articles/beest-
reesources and time
t at differeent phases of SDLC. In futture we practices/peneetration/655-BSI.hhtml.
[222] Wysopal, C. (2009). White B Box Better Thaan Black Box RetrievedR
in
ntend to exten nd this study by comparin ng testing tech hniques 31/05/2012, 2012,
2 from http:///www.veracode.com/blog/2009/110/white-
aggainst specificc type of threaats such as sqll injection and
d buffer box-better-thaan-black-box/.
ovverflow in reaal world scenarrio.

ACKNO
OWLEDGMENT
This work was
w supported by b the Researrch Centre of College
C
off Computer an nd Information n Sciences, King
K Saud University.
Thhe authors aree grateful for tthis support.

REFFERENCES
[1]] (CERT/CC), C. C. C.. "Cataloged vulnerabilities." from
http://www.ceert.org/stats/
[2]] Antunes, N. and M. Vieira (2009). Comparring the Effectivveness of
Penetration Testing
T and Staticc Code Analysis on the Detectionn of SQL
Injection Vuulnerabilities in Web Services. Dependable Coomputing,
2009. PRDC '09. 15th IEEE Paacific Rim Intern national Symposiuum on.
[3]] Aznar Bellveer Jerónimo, C.. R., Roberto, Romero R Civera, Agustín
(2011). "New w Spanish Bannking Conglomeerates.Applicationn of the
Analytic Hierrarchy Process (A AHP) to their Maarket Value "Inteernational
Research Jourrnal of Finance annd Economics (78).
[4]] M D. Dreilingeer, et al. (1996). Using fault injection to
Bieman, J. M.,
increase softw
ware test coveraage. Seventh Inteernational Sympoosium on
Software Reliiability Engineeriing, 1996. Proceeedings.
[5]] Database, N. V. (2012). "Natiional Vulnerability Database Verssion 2.2."
Retrieved 10//08/2012, 2012, from
fr http://nvd.nist.gov/.
[6]] IEEE (1986)). ANSI/IEEE Standard
S 1008-1987, IEEE Stanndard for
Software Unit Testing.

International Scholarly and Scientific Research & Innovation 7(6) 2013 692 ISNI:0000000091950263