Simon, FrankSimon, Daniel2017-12-062017-12-062012https://dl.gi.de/handle/20.500.12116/8663Frank Simon, Daniel Simon SQS Software Quality Systems AG, Stollwerckstraße 11, 51149 Cologne, Germany Email: frank.simon|daniel.simon@sqs.com Abstract: New trends in IT industry impose increasingly requirements on openness and interoperability via networks to enterprise software systems. As a consequence, more and more legacy applications are made available via interfaces more openly through mobile and insecure networks, thereby inducing security risks the initial designs have never had to account for. In this paper, we show how a highly automatable black-box method called fuzzing for testing security can be integrated into testing processes to increase interfaces of legacy application in terms of security profiles. tem for mobile communication as example has not only to be tested for its own but might motivate deeper testing of directly connected components. For a more systematic view on these implicit testing adjustments testing can be refined into four steps (a more general approach can be found in [2]: 1. Identification of test objects (What artefacts relevant for project success?) 2. Identification of quality attributes (What properties should the artefacts have?) 3. Determination of corresponding test activities to ensure artefacts having particular attributes 4. Clustering of test activities into test stages that can be executed in conjunction This paper focuses the following aspect: Adding new interfaces creates new test objects as well as it produces new or at least adjusted priorities for quality attributes requiring additional test activities on all test stages. Quality attributes for software can be taken from ISO 25000 family of standards. [3] In particular when adding new service interfaces to legacy applications the first time, security should be seen as one of the top priorities. Security is defined in the ISO 25010 standard as the Degree to which a product or system protects information and data so that persons or other products or systems have the degree of data access appropriate to their types and levels of authorization.enTest ProcessSecurity TestLegacy ApplicationBrute Force MethodSoftware Product QualityFuzzing: Testing Security in Maintenance ProjectsText/Journal Article10.1007/BF033234810720-8928