{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T16:22:19Z","timestamp":1774974139642,"version":"3.50.1"},"reference-count":49,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T00:00:00Z","timestamp":1771977600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T00:00:00Z","timestamp":1774915200000},"content-version":"vor","delay-in-days":34,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100015689","name":"Institut Teknologi Bandung","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100015689","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J. Inf. Secur."],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Broken access control (BAC) remains the most critical security risk (i.e., OWASP Top 10). Although BAC is commonly tested with dynamic white-box techniques, their effectiveness hinge on the strength of the underlying test cases; weak test cases leave exploitable risks on the software. Mutation testing is widely used and has been empirically shown to be highly sensitive and reliable for evaluating test case quality. Though it is also used in software security, it remains limited for testing BAC. This study aims to improve security test cases\u00a0quality for two BAC vulnerabilities: Improper Pathname Limitation (IPL) and Cross-Site Request Forgery (CSRF). We introduce 15 novel mutation operators, systematically formulated through data flow analysis to understand the nature of those vulnerabilities. The proposed operator groups, including file access check and CSRF-token related mutation operators, to simulate realistic and possible semantic fallacies that lead to security vulnerabilities. The approach was evaluated using\u00a0the Quality of\u00a0mutant set Coverage\u00a0(QCo) and measuring\u00a0the test cases\u00a0improvement using Mutation Score Indicator (MSI) on\u00a029 security test cases. Experimental results show that all operators, implemented as infectious PHP extension, achieved QCo above 85%, while test case quality improved in CSRF from 5 to 12 test cases and in IPL from 8 to 17 test cases on a PHP-based dummy project, whereas on DVWA from 6 to 8 test cases for CSRF and from 4 to 7 test cases for IPL. These findings indicate that the proposed mutation operators substantially enable developers in strengthening security test cases to reveal BAC vulnerabilities.<\/jats:p>","DOI":"10.1186\/s13635-026-00226-w","type":"journal-article","created":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T06:44:25Z","timestamp":1772001865000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Mutation based improvement of security test case quality for broken access control"],"prefix":"10.1186","volume":"2026","author":[{"family":"Abdurrasyid","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yudistira","family":"Asnar","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gusti","family":"Ayu Putri Saptawati","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,2,25]]},"reference":[{"key":"226_CR1","unstructured":"Akamai, A year in review \u2014 a look at 2023\u2019s cyber trends and what\u2019s to come (2023)"},{"key":"226_CR2","unstructured":"H.\u00a0Krasner, The cost of poor software quality in us: A 2022 report from problem to solutions (2022)"},{"key":"226_CR3","doi-asserted-by":"publisher","unstructured":"P.\u00a0Liu, Z.\u00a0Xu, J.\u00a0Ai, in Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security Companion, QRS-C 2018, An approach to automatic test case generation for unit testing (2018), pp. 545\u2013552. https:\/\/doi.org\/10.1109\/QRS-C.2018.00097","DOI":"10.1109\/QRS-C.2018.00097"},{"key":"226_CR4","doi-asserted-by":"publisher","DOI":"10.1201\/9781003322351","volume-title":"Software Durability: Concepts and Practices","author":"R Kumar","year":"2023","unstructured":"R. Kumar, S. Ahmad Khan, R. Ahmad Khan, Software Durability: Concepts and Practices, 1st edn. (CRC Press, Boca Raton, 2023). https:\/\/doi.org\/10.1201\/9781003322351","edition":"1st edn"},{"key":"226_CR5","doi-asserted-by":"publisher","first-page":"72694","DOI":"10.1109\/ACCESS.2020.2987941","volume":"8","author":"R Kumar","year":"2020","unstructured":"R. Kumar, A. Baz, H. Alhakami, W. Alhakami, M. Baz, A. Agrawal, R.A. Khan, A hybrid model of hesitant fuzzy decision-making analysis for estimating usable-security of software. IEEE Access 8, 72694\u201372712 (2020). https:\/\/doi.org\/10.1109\/ACCESS.2020.2987941","journal-title":"IEEE Access"},{"key":"226_CR6","doi-asserted-by":"publisher","first-page":"48870","DOI":"10.1109\/ACCESS.2020.2978038","volume":"8","author":"R Kumar","year":"2020","unstructured":"R. Kumar, A.I. Khan, Y.B. Abushark, M.M. Alam, A. Agrawal, R.A. Khan, A knowledge-based integrated system of hesitant fuzzy set, ahp and topsis for evaluating security-durability of web applications. IEEE Access 8, 48870\u201348885 (2020). https:\/\/doi.org\/10.1109\/ACCESS.2020.2978038","journal-title":"IEEE Access"},{"key":"226_CR7","doi-asserted-by":"publisher","first-page":"1","DOI":"10.33166\/AETiC.2020.03.001","volume":"4","author":"J Li","year":"2020","unstructured":"J. Li, Vulnerabilities mapping based on OWASP-SANS: a survey for static application security testing (SAST). Ann. Emerg. Technol. Comput. 4, 1\u20138 (2020). https:\/\/doi.org\/10.33166\/AETiC.2020.03.001","journal-title":"Ann. Emerg. Technol. Comput."},{"key":"226_CR8","unstructured":"P.\u00a0Burnap, R.\u00a0Carolina, A.\u00a0Rashid, C.\u00a0Troncoso, W.\u00a0Lee, The cyber security body of knowledge (UK, 2019). https:\/\/www.nationalarchives.gov.uk\/"},{"key":"226_CR9","doi-asserted-by":"publisher","first-page":"89","DOI":"10.32604\/CMES.2021.010700","volume":"126","author":"RA Correa","year":"2021","unstructured":"R.A. Correa, J.R.B. Higuera, J.B. Higuera, J.A.S. Montalvo, M.S. Rubio, A. Magre\u00f1\u00e1n, Hybrid security assessment methodology for web applications. CMES - Comput. Model. Eng. Sci. 126, 89\u2013124 (2021). https:\/\/doi.org\/10.32604\/CMES.2021.010700","journal-title":"CMES - Comput. Model. Eng. Sci."},{"key":"226_CR10","doi-asserted-by":"publisher","unstructured":"W.\u00a0Al-Kahla, A.\u00a0Shatnawi, E.\u00a0Taqieddin, in 2021 12th International Conference on Information and Communication Systems, ICICS 2021, A taxonomy of web security vulnerabilities (2021), pp. 424\u2013429. https:\/\/doi.org\/10.1109\/ICICS52457.2021.9464576","DOI":"10.1109\/ICICS52457.2021.9464576"},{"key":"226_CR11","doi-asserted-by":"publisher","first-page":"112","DOI":"10.1016\/j.infsof.2016.04.007","volume":"81","author":"B Lindstr\u00f6m","year":"2017","unstructured":"B. Lindstr\u00f6m, J. Offutt, D. Sundmark, S. Andler, P. Pettersson, Using mutation to design tests for aspect-oriented models. Inf. Softw. Technol. 81, 112\u2013130 (2017). https:\/\/doi.org\/10.1016\/j.infsof.2016.04.007","journal-title":"Inf. Softw. Technol."},{"key":"226_CR12","doi-asserted-by":"publisher","unstructured":"M. Beller, in 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP) What, What it would take to use mutation testing in industry \u2014 a study at facebook (2021), pp. 268\u2013277. https:\/\/doi.org\/10.1109\/ICSE-SEIP52600.2021.00036","DOI":"10.1109\/ICSE-SEIP52600.2021.00036"},{"key":"226_CR13","unstructured":"P.\u00a0G\u00f6rz, B.\u00a0Mathis, K.\u00a0Hassler, in 32nd USENIX Security Symposium, Systematic assessment of fuzzers using mutation analysis (USENIX Association, 2023)"},{"key":"226_CR14","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1016\/j.infsof.2016.01.017","volume":"81","author":"R Silva","year":"2016","unstructured":"R. Silva, R. Senger, P. S\u00e9rgio, L. Souza, A systematic review on search based mutation testing. Inf. Softw. Technol. 81, 19\u201335 (2016). https:\/\/doi.org\/10.1016\/j.infsof.2016.01.017","journal-title":"Inf. Softw. Technol."},{"issue":"10","key":"226_CR15","doi-asserted-by":"publisher","first-page":"3900","DOI":"10.1109\/TSE.2021.3107634","volume":"48","author":"G Petrovic","year":"2022","unstructured":"G. Petrovic, M. Ivankovic, G. Fraser, R. Just, Practical mutation testing at scale: a view from Google. IEEE Trans. Softw. Eng. 48(10), 3900\u20133912 (2022). https:\/\/doi.org\/10.1109\/TSE.2021.3107634","journal-title":"IEEE Trans. Softw. Eng."},{"issue":"1","key":"226_CR16","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1080\/19393555.2020.1853855","volume":"31","author":"Y Sadqi","year":"2022","unstructured":"Y. Sadqi, Y. Maleh, A systematic review and taxonomy of web applications threats. Inf. Secur. J. Glob. Perspect. 31(1), 1\u201327 (2022). https:\/\/doi.org\/10.1080\/19393555.2020.1853855","journal-title":"Inf. Secur. J. Glob. Perspect."},{"key":"226_CR17","unstructured":"E. Saad, R. Mitchell, Web Security Testing Guide v4.2 (OWASP Foundation (Washington, 2020)"},{"key":"226_CR18","unstructured":"C.V.E., Vulnerabilities by types\/categories. https:\/\/www.cvedetails.com\/vulnerabilities-by-types.php"},{"key":"226_CR19","unstructured":"M.\u00a0Flanders, A simple and intuitive algorithm for preventing directory traversal attacks (2019). arXiv:1908.04502"},{"key":"226_CR20","doi-asserted-by":"publisher","unstructured":"R.\u00a0Yenduri, M.\u00a0Al-Khassaweneh, in MIUCC 2022 - 2nd International Mobile, Intelligent, and Ubiquitous Computing Conference, Php: Vulnerabilities and solutions (2022), pp. 391\u2013396. https:\/\/doi.org\/10.1109\/MIUCC55081.2022.9781790","DOI":"10.1109\/MIUCC55081.2022.9781790"},{"key":"226_CR21","doi-asserted-by":"publisher","unstructured":"C.\u00a0Staicu, M.\u00a0Torp, M.\u00a0Schafer, A.\u00a0Moller, M.\u00a0Pradel, in Proceedings - International Conference on Software Engineering, Extracting taint specifications for javascript libraries (IEEE Computer Society, 2020), pp. 198\u2013209. https:\/\/doi.org\/10.1145\/3377811.3380390","DOI":"10.1145\/3377811.3380390"},{"key":"226_CR22","doi-asserted-by":"publisher","unstructured":"I.\u00a0Pratama, A.\u00a0Rhusuli, in 9th International Conference on ICT for Smart Society: Recover Together, Recover Stronger and Smarter Smartization, Governance and Collaboration, ICISS 2022 - Proceeding, Penetration testing on web application using insecure direct object references (idor) method (2022), pp. 1\u20137. https:\/\/doi.org\/10.1109\/ICISS55894.2022.9915074","DOI":"10.1109\/ICISS55894.2022.9915074"},{"issue":"2","key":"226_CR23","doi-asserted-by":"publisher","first-page":"117","DOI":"10.22042\/isecure.2021.254089.580","volume":"13","author":"M Hadavi","year":"2021","unstructured":"M. Hadavi, A. Bagherdaei, S. Ghasemi, Idot: black-box detection of access control violations in web applications. ISeCure 13(2), 117\u2013129 (2021). https:\/\/doi.org\/10.22042\/isecure.2021.254089.580","journal-title":"ISeCure"},{"key":"226_CR24","doi-asserted-by":"publisher","unstructured":"S.\u00a0Yulianto, R.\u00a0Abdullah, B.\u00a0Soewito, in Proceedings - 2023 IEEE International Conference on Cryptography, Informatics, and Cybersecurity: Cryptography and Cybersecurity: Roles, Prospects, and Challenges, Comprehensive analysis and remediation of insecure direct object references (idor) vulnerabilities in android apis (2023), pp. 23\u201328. https:\/\/doi.org\/10.1109\/ICoCICs58778.2023.10276919","DOI":"10.1109\/ICoCICs58778.2023.10276919"},{"issue":"12","key":"226_CR25","doi-asserted-by":"publisher","first-page":"228","DOI":"10.14569\/IJACSA.2021.0121230","volume":"12","author":"K Al-talak","year":"2021","unstructured":"K. Al-talak, D. Abbass, Detecting server-side request forgery (ssrf) attack by using deep learning techniques. Int. J. Adv. Comput. Sci. Appl. 12(12), 228\u2013234 (2021). https:\/\/doi.org\/10.14569\/IJACSA.2021.0121230","journal-title":"Int. J. Adv. Comput. Sci. Appl."},{"key":"226_CR26","doi-asserted-by":"publisher","unstructured":"W.\u00a0Rankothge, S.\u00a0Randeniya, in IEEE Region 10 Humanitarian Technology Conference, R10-HTC, Identification and mitigation tool for cross-site request forgery (csrf), vol. 2020-Decem (2020), pp. 1\u20135. https:\/\/doi.org\/10.1109\/R10-HTC49770.2020.9357029","DOI":"10.1109\/R10-HTC49770.2020.9357029"},{"key":"226_CR27","doi-asserted-by":"publisher","unstructured":"Y.\u00a0Gbur, F.\u00a0Tschorsch, in Network and Distributed System Security (NDSS) Symposium, Quicforge: Client-side request forgery in quic (2023). https:\/\/doi.org\/10.14722\/ndss.2023.23072","DOI":"10.14722\/ndss.2023.23072"},{"key":"226_CR28","doi-asserted-by":"publisher","unstructured":"O.\u00a0Salami, A.\u00a0Bashir, E.\u00a0Adedokun, Y.\u00a0Basira, in 2021 International Conference on Information and Communication Technology for Development for Africa, Past event recall test for mitigating session hijacking and cross-site request forgery (2021), pp. 190\u2013195. https:\/\/doi.org\/10.1109\/ICT4DA53266.2021.9672244","DOI":"10.1109\/ICT4DA53266.2021.9672244"},{"key":"226_CR29","doi-asserted-by":"publisher","unstructured":"W. Mei, Z. Long, in Proceedings of 2020 IEEE International Conference on Artificial Intelligence and Computer Applications, ICAICA, Research and defense of cross-site websocket hijacking vulnerability (2020), pp. 591\u2013594. https:\/\/doi.org\/10.1109\/ICAICA50127.2020.9182458","DOI":"10.1109\/ICAICA50127.2020.9182458"},{"issue":"2","key":"226_CR30","doi-asserted-by":"publisher","first-page":"565","DOI":"10.11591\/eei.v9i2.2064","volume":"9","author":"J Adamu","year":"2020","unstructured":"J. Adamu, R. Hamzah, M. Rosli, Security issues and framework of electronic medical record: a review. Bull. Electr. Eng. Inform. 9(2), 565\u2013572 (2020). https:\/\/doi.org\/10.11591\/eei.v9i2.2064","journal-title":"Bull. Electr. Eng. Inform."},{"issue":"2","key":"226_CR31","doi-asserted-by":"publisher","DOI":"10.1016\/j.hcc.2021.100035","volume":"1","author":"K Peguero","year":"2021","unstructured":"K. Peguero, X. Cheng, Csrf protection in javascript frameworks and the security of javascript applications. High-Confidence Computing 1(2), 100035 (2021). https:\/\/doi.org\/10.1016\/j.hcc.2021.100035","journal-title":"High-Confidence Computing"},{"key":"226_CR32","doi-asserted-by":"publisher","unstructured":"V.\u00a0Vikram, in ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, Association for Computing Machinery, Inc, Guiding greybox fuzzing with mutation testing (2023-07), pp. 929\u2013941. https:\/\/doi.org\/10.1145\/3597926.3598107","DOI":"10.1145\/3597926.3598107"},{"key":"226_CR33","doi-asserted-by":"publisher","unstructured":"R.\u00a0Qian, Q.\u00a0Zhang, C.\u00a0Fang, L.\u00a0Guo, in ACM International Conference Proceeding Series, Association for Computing Machinery, Investigating coverage guided fuzzing with mutation testing (2022), pp. 272\u2013281. https:\/\/doi.org\/10.1145\/3545258.3545285","DOI":"10.1145\/3545258.3545285"},{"key":"226_CR34","doi-asserted-by":"crossref","unstructured":"E. Vasconcelos, M. Delamaro, S. Souza, in Brazilian Symposium on Systematic and Automated Software Testing (SAST\u201924), Mutation testing to support the security testing of android applications (Curitiba, 2024)","DOI":"10.5753\/sast.2024.3773"},{"key":"226_CR35","doi-asserted-by":"crossref","unstructured":"S.\u00a0Salva, J.\u00a0Sue, Security testing of restful apis with test case mutation (2024). arXiv:2403.03701","DOI":"10.5220\/0012698600003687"},{"key":"226_CR36","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.103811","author":"H Wanyan","year":"2024","unstructured":"H. Wanyan, Y. Lai, J. Liu, H. Chen, Ncmfuzzer: using non-critical field mutation and test case combination to improve the efficiency of ics protocol fuzzing. Comput. Secur. (2024). https:\/\/doi.org\/10.1016\/j.cose.2024.103811","journal-title":"Comput. Secur."},{"key":"226_CR37","doi-asserted-by":"publisher","unstructured":"F.\u00a0Siavashi, D.\u00a0Truscan, J.\u00a0Vain, in Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018, Vulnerability assessment of web services with model-based mutation testing (2018), pp. 301\u2013312. https:\/\/doi.org\/10.1109\/QRS.2018.00043","DOI":"10.1109\/QRS.2018.00043"},{"key":"226_CR38","doi-asserted-by":"publisher","unstructured":"E.\u00a0Chen, V.\u00a0Dubrovenski, D.\u00a0Xu, in Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, Association for Computing Machinery, Mutation analysis of ngac policies (2021), pp. 71\u201382. https:\/\/doi.org\/10.1145\/3450569.3463563","DOI":"10.1145\/3450569.3463563"},{"issue":"4","key":"226_CR39","doi-asserted-by":"publisher","first-page":"2053","DOI":"10.1109\/TSE.2022.3209590","volume":"49","author":"M Wen","year":"2023","unstructured":"M. Wen, Z. Xie, K. Luo, X. Chen, Y. Yang, H. Jin, Effective isolation of fault-correlated variables via statistical and mutation analysis. IEEE Trans. Softw. Eng. 49(4), 2053\u20132068 (2023). https:\/\/doi.org\/10.1109\/TSE.2022.3209590","journal-title":"IEEE Trans. Softw. Eng."},{"key":"226_CR40","doi-asserted-by":"publisher","unstructured":"S.\u00a0Bejo, B.\u00a0Assefa, S.\u00a0Mohapatra, in 2021 International Conference on Information and Communication Technology for Development for Africa, ICT4DA 2021, Backip: Mutation based test data generation using hybrid approach (Institute of Electrical and Electronics Engineers Inc, 2021), pp. 178\u2013183. https:\/\/doi.org\/10.1109\/ICT4DA53266.2021.9672216","DOI":"10.1109\/ICT4DA53266.2021.9672216"},{"issue":"2","key":"226_CR41","doi-asserted-by":"publisher","first-page":"823","DOI":"10.1007\/s11219-018-9425-7","volume":"27","author":"P Delgado-P\u00e9rez","year":"2019","unstructured":"P. Delgado-P\u00e9rez, L. Rose, I. Medina-Bulo, Coverage-based quality metric of mutation operators for test suite improvement. Softw. Qual. J. 27(2), 823\u2013859 (2019). https:\/\/doi.org\/10.1007\/s11219-018-9425-7","journal-title":"Softw. Qual. J."},{"key":"226_CR42","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2018.08.227","author":"A Kurniawan","year":"2018","unstructured":"A. Kurniawan, B. Abbas, A. Trisetyarso, S. Isa, Static taint analysis traversal with object oriented component for web file injection vulnerability pattern detection. Procedia Comput. Sci. (2018). https:\/\/doi.org\/10.1016\/j.procs.2018.08.227","journal-title":"Procedia Comput. Sci."},{"key":"226_CR43","unstructured":"W.\u00a0Gibbs, A.S. Raj, J.M. Vadayath, H.J. Tay, J.\u00a0Miller, A.\u00a0Ajayan, Z.L. Basque, A.\u00a0Dutcher, F.\u00a0Dong, X.\u00a0Maso, G.\u00a0Vigna, C.\u00a0Kruegel, S.\u00a0Barbara, A.\u00a0Doup\u00e9, Y.\u00a0Shoshitaishvili, R.\u00a0Wang, in 33rd USENIX Security Symposium, Operation mango: Scalable discovery of taint-style vulnerabilities in binary firmware services (USENIX, 2024). https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/gibbs"},{"key":"226_CR44","doi-asserted-by":"publisher","unstructured":"M.\u00a0Copik, A.\u00a0Calotoiu, T.\u00a0Grosser, N.\u00a0Wicki, F.\u00a0Wolf, T.\u00a0Hoefler, in Proceedings of the ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming, Extracting clean performance models from tainted programs (PPOPP, Association for Computing Machinery, 2021), pp. 403\u2013417. https:\/\/doi.org\/10.1145\/3437801.3441613","DOI":"10.1145\/3437801.3441613"},{"key":"226_CR45","doi-asserted-by":"publisher","unstructured":"A.\u00a0Maskur, Y.W. Asnar, in Proceedings of 2019 International Conference on Data and Software Engineering, ICoDSE 2019, Static code analysis tools with the taint analysis method for detecting web application vulnerability (2019). https:\/\/doi.org\/10.1109\/ICoDSE48700.2019.9092614","DOI":"10.1109\/ICoDSE48700.2019.9092614"},{"key":"226_CR46","unstructured":"A.\u00a0Izzillo, R.\u00a0Lazzeretti, E.\u00a0Coppa, Staff: Stateful taint-assisted full-system firmware fuzzing (2025). arXiv:2509.18039"},{"key":"226_CR47","doi-asserted-by":"publisher","unstructured":"Z.\u00a0Tian, H.\u00a0Shu, D.\u00a0Wang, X.\u00a0Cao, Y.\u00a0Kamei, J.\u00a0Chen, in ISSTA 2024 - Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, Large language models for equivalent mutant detection: How far are we? (Association for Computing Machinery, Inc, 2024), pp. 1733\u20131745. https:\/\/doi.org\/10.1145\/3650212.3680395","DOI":"10.1145\/3650212.3680395"},{"key":"226_CR48","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1109\/MITP.2024.3525458","volume":"27","author":"Y Sasaki","year":"2025","unstructured":"Y. Sasaki, H. Washizaki, J. Li, N. Yoshioka, N. Ubayashi, Y. Fukazawa, Landscape and taxonomy of prompt engineering patterns in software engineering. IT Prof. 27, 41\u201349 (2025). https:\/\/doi.org\/10.1109\/MITP.2024.3525458","journal-title":"IT Prof."},{"key":"226_CR49","unstructured":"B.\u00a0Paranjape, S.\u00a0Lundberg, S.\u00a0Singh, H.\u00a0Hajishirzi, L.\u00a0Zettlemoyer, M.T. Ribeiro, Art: Automatic multi-step reasoning and tool-use for large language models (2023). arXiv:2303.09014"}],"container-title":["Journal on Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s13635-026-00226-w","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s13635-026-00226-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s13635-026-00226-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T14:26:58Z","timestamp":1774967218000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s13635-026-00226-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,25]]},"references-count":49,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["226"],"URL":"https:\/\/doi.org\/10.1186\/s13635-026-00226-w","relation":{},"ISSN":["3091-4515"],"issn-type":[{"value":"3091-4515","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,25]]},"assertion":[{"value":"22 September 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 January 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 February 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Not applicable.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"The authors declare no competing interests.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"7"}}