The openness of modern IT systems and their permanent change make it challenging to keep these systems secure. A combination of regression and security testing called security regression testing, which ensures that changes made to a system do not harm its security, are therefore of high significance and the interest in such approaches has steadily increased. In this article we present a systematic classification of available security regression testing approaches based on a solid study of background and related work to sketch which parts of the research area seem to be well understood and evaluated, and which ones require further research. For this purpose we extract approaches relevant to security regression testing from computer science digital libraries based on a rigorous search and selection strategy. Then, we provide a classification of these according to security regression approach criteria: abstraction level, security issue, regression testing techniques, and tool support, as well as evaluation criteria, for instance evaluated system, maturity of the system, and evaluation measures. From the resulting classification we derive observations with regard to the abstraction level, regression testing techniques, tool support as well as evaluation, and finally identify several potential directions of future research.

翻译：现代IT系统的开放性及其持续变更使得保持这些系统的安全性成为一项挑战。回归测试与安全测试相结合的安全回归测试方法，能够确保系统变更不会损害其安全性，因此具有极高的重要性，学界对此类方法的兴趣也在稳步增长。本文基于对背景及相关工作的扎实研究，对现有安全回归测试方法进行了系统分类，旨在勾勒研究领域中哪些部分已得到充分理解与评估，哪些仍需进一步探索。为此，我们通过严格的检索与筛选策略，从计算机科学数字图书馆中提取了与安全回归测试相关的方法。随后，我们依据安全回归方法标准（包括抽象层级、安全问题类型、回归测试技术及工具支持）以及评估标准（如被测系统、系统成熟度及评估指标）对这些方法进行了分类。基于此分类结果，我们归纳出关于抽象层级、回归测试技术、工具支持及评估方面的观察结论，并最终指出了未来研究的若干潜在方向。