A. Adams and M. A. Sasse, Users are not the enemy, Commun. ACM, vol.42, pp.40-46, 1999.
DOI : 10.1145/322796.322806

C. Adams, G. Jourdan, J. Levac, and F. Prevost, Lightweight protection against brute force login attacks on web applications, Eighth Annual International Conference on. IEEE, pp.181-188, 2010.
DOI : 10.1109/pst.2010.5593241

I. Arce, K. Clark-fisher, N. Daswani, J. Delgrosso, D. Dhillon et al., Avoiding the top 10 software security design flaws, 2014.

E. William, D. F. Burr, W. T. Dodson, and . Polk, Electronic authentication guideline, 2004.

K. Chellapilla, K. Larson, P. Simard, and M. Czerwinski, Designing human friendly human interaction proofs (HIPs), Proceedings of the SIGCHI conference on Human factors in computing systems, pp.711-720, 2005.
DOI : 10.1145/1054972.1055070

M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna, Swaddler: An approach for the anomaly-based detection of state violations in web applications, International Workshop on Recent Advances in Intrusion Detection, pp.63-86, 2007.

, Common Weakness Enumeration (CWE), A community-developed List of Software Weakness Types

R. Dhamija and L. Dusseault, The seven flaws of identity management: Usability and security challenges, IEEE Security & Privacy, vol.6, 2008.

G. A. , D. Lucca, and M. Di-penta, Considering browser interaction in web application testing, Web Site Evolution, pp.74-81, 2003.

P. S. Dowland, D. Katsabas, and S. M. Furnell,

S. Elbaum, G. Rothermel, S. Karre, M. Fisher, and I. I. , Leveraging user-session data to support web application testing, IEEE Transactions on Software Engineering, vol.31, pp.187-202, 2005.
DOI : 10.1109/tse.2005.36

URL : http://people.cs.vt.edu/~fisherii/papers/elbaum-tse05.pdf

M. , J. Escalona, and N. Koch, Requirements engineering for web applications-a comparative study, J. Web Eng, vol.2, pp.193-212, 2004.

, OWASP Foundation, Business Logic Security Cheat Sheet

, OWASP Foundation

J. Grossman, Seven business logic flaws that put your website at risk. WhiteHat Security, 2007.

. Gsma, Introducing mobile connect -the new standard in digital authenti

S. Gupta, . Brij-bhooshan, and . Gupta, Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art, International Journal of System Assurance Engineering and Management, vol.8, pp.512-530, 2017.

N. Haller, The S/KEY one-time password system, 1995.
DOI : 10.17487/rfc1760

URL : https://www.rfc-editor.org/rfc/pdfrfc/rfc1760.txt.pdf

D. Hardt, The OAuth 2.0 authorization framework, 2012.

M. Vinay, R. Igure, and . Williams, Taxonomies of attacks and vulnerabilities in computer systems, IEEE Communications Surveys & Tutorials, vol.10, p.1, 2008.

, 2012-09-07. Entity Authentication assurance framework

K. Jiwnani and M. Zelkowitz, Susceptibility matrix: A new aid to software auditing, IEEE Security & Privacy, vol.2, issue.2, pp.16-21, 2004.
DOI : 10.1109/msecp.2004.1281240

N. Jovanovic, C. Kruegel, and E. Kirda, Pixy: A static analysis tool for detecting web application vulnerabilities, 2006.
DOI : 10.1109/sp.2006.29

I. Koldaev, Hack any skype account in 6 easy steps

X. Li and Y. Xue, BLOCK: a black-box approach for detection of state violation attacks towards web applications, Proceedings of the 27th Annual Computer Security Applications Conference, pp.247-256, 2011.

O. Mazhelis and S. Puuronen, A framework for behavior-based detection of user substitution in a mobile context. computers & security, vol.26, pp.154-176, 2007.

. Meier, Web application security engineering, IEEE Security & Privacy, vol.4, issue.4, pp.16-24, 2006.
DOI : 10.1109/msp.2006.109

G. Pellegrino and D. Balzarotti, Toward Black-Box Detection of Logic Flaws in Web Applications, NDSS, 2014.

D. Recordon and D. Reed, OpenID 2.0: a platform for usercentric identity management, Proceedings of the second ACM workshop on Digital identity management, pp.11-16, 2006.
DOI : 10.1145/1179529.1179532

A. Sadeghian, M. Zamani, and A. Manaf, A taxonomy of SQL injection detection and prevention techniques, Informatics and Creative Multimedia (ICICM), 2013 International Conference on. IEEE, pp.53-56, 2013.

M. A. Sasse, S. Brostoff, and D. Weirich, Transforming the 'weakest link' a human/computer interaction approach to usable and effective security, BT technology journal, vol.19, pp.122-131, 2001.

G. Sindre and A. L. Opdahl, Eliciting security requirements with misuse cases, Requirements engineering, vol.10, pp.34-44, 2005.
DOI : 10.1007/s00766-004-0194-4

A. Inger, M. Tondel, . Gilje-jaatun, . Per-hakon, and . Meland, Security requirements for the rest of us: A survey, IEEE software, vol.25, p.1, 2008.

A. Vapen and N. Shahmehri, Security Levels for Web Authentication Using Mobile Phones, Privacy and Identity Management for Life -6th IFIP WG 9, 2010.
DOI : 10.1007/978-3-642-20769-3_11

URL : https://hal.archives-ouvertes.fr/hal-01559465

, Web Application Security Consortium (WASC)

K. Yee, User interaction design for secure systems, International Conference on Information and Communications Security, pp.278-290, 2002.
DOI : 10.1007/3-540-36159-6_24

URL : http://nma.berkeley.edu/ark:/28722/bk0005s3t3z