In the context of a software development lifecycle, use case describe what actors will do and what applications will do in response. Validating that code or an application satisfies the use cases that it was designed for is part of all development processes. This is an example of positive testing, where the desired functionality and behavior is tested to ensure that it works as designed.
Ensuring that applications are secure requires that negative testing, or testing that validates what happens when things do not work as expected, is conducted to identify vulnerabilities and coding errors. Thus, to ensure security, misuse cases are also tested to ensure that using an application in ways that it was not intended to be used does not result in unexpected or unintended consequences. Common examples of misuse testing techniques include the following:
- Required form fields: The application may require certain fields before a form can be submitted. If the fields are left blank, does the application properly stop the submission and request that the empty field be completed?
- Data mismatch: What happens when letters are entered into a ZIP code field? Or symbols are entered into a First Name field?
- Field limits: What happens when four or more digits are entered into a form field for a customer’s age? Does it truncate the data or reject the entry?
- Data bounds: What happens if negative numbers are entered when positive numbers are expected, and vice versa? Does the application properly handle the anomaly, or does it accept the input and yield unexpected results?
- Unauthenticated pages: Does a site that requires login allow access to pages with- out authentication? Can pages be opened directly if the URL is known?
Most use cases simply ensure that the application provides necessary functionality. In contrast, misuse case testing has to test a broader set of possible issues, since invalid inputs, intentional attacks, and many other unexpected behaviors have to be tested for to fully validate the wide range of misuse cases.
Abuse Case Testing
Testing for intentional misuse cases, also known as abuse cases, is part of a comprehensive misuse testing effort. Thus, when misuse cases are evaluated, they should also be considered from the point of view of an attacker or malicious insider with a focus on how the system, service, application, or process could be abused.
Abuse cases must be considered at each level of an infrastructure or system, including individual components, how they integrate, and how they are managed and maintained. At each stage, assessors must consider how normal functionality could be misused and how techniques such as providing unexpected input or intentional malicious actions might have an impact.
Since complete coverage for misuse case testing can be extremely time- and resource-intensive, a risk assessment should be performed to determine focus areas. Once focus areas have been determined, abuse case testing emulates common activities of malicious actors who abuse applications by performing actions the application doesn’t expect, which can reveal vulnerabilities that may allow system compromise. Exceptional testing for abuse cases may occur during penetration tests, with white-box penetration tests often providing the greatest insight into potential abuse, but conducting thorough abuse case testing can be very expensive.
Since abuse cases are a subset of misuse cases, the differences between them can result in confusion. All abuse cases are misuse cases, but a misuse case becomes an abuse case only when it involves an intentional attempt to misuse the system for malicious purposes.
