Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

Higuera, Juan Ramón Bermejo; Higuera, Javier Bermejo; Sicilia, Juan Antonio; Cubo, Javier; Pérez, Juan José Nombela

doi:10.32604/cmc.2020.010885

Cited by 11 publications

(5 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, their bench-marking approach requires manual code review, which does not scale. Other studies, such as [20], focus on SAST tools for detecting vulnerabilities and find that the true positive and false positive rates vary widely across tools and across different types of vulnerabilities. Croft et al [21] compares open-source, rule-based SAST tools with learning-based software vulnerability prediction models for C/C++ software systems.…”

Section: Comparing Static Application Security Testing (Sast) and Dyn...mentioning

confidence: 99%

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

Seth¹,

Bhattacharya²,

Elder³

et al. 2022

SSRN Journal

View full text Add to dashboard Cite

Section: Comparing Static Application Security Testing (Sast) and Dyn...mentioning

confidence: 99%

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

Seth¹,

Bhattacharya²,

Elder³

et al. 2022

SSRN Journal

View full text Add to dashboard Cite

“…Finally, a paper [8] can be examined that presents a benchmarking approach [55] to study the performance of seven static tools (five commercial tools) with a new methodology proposal. The benchmark is representative and it is designed for the vulnerability categories included in the known standard OWASP Top Ten project for SAST tools evaluations.…”

Section: Sast Tools Comparisons Studiesmentioning

confidence: 99%

“…An adequate test bench must be credible, portable, representative, require minimum changes and be easy to implement, and the tools execution must be under the same conditions [10]. We have investigated several security benchmarks for web applications as Wavsep used in the comparisons of [66,67]; Securebench Micro Project used in the works of [68,69]; Software Assurance Metrics And Tool Evaluation (SAMATE) project of National Institute of Standards and Technology (NIST) used in several works [9,28,[70][71][72][73]; OWASP benchmark project [14]; Delta-bench by Pashchenko et al [74] and OWASP Top Ten Benchmark [55] adapted for OWASP Top Ten 2013 and 2017 vulnerability categories projects and designed for static analysis only used in the work of Bermejo et al [8].…”

Section: Benchmark Selectionmentioning

confidence: 99%

See 1 more Smart Citation

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Tudela

Higuera

et al. 2020

Applied Sciences

Self Cite

View full text Add to dashboard Cite

The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination.

show abstract

“…For more information about benchmarking static analysis tools, please see page 1558 from the book [16].…”

mentioning

confidence: 99%

Ontology for Cross-Site-Scripting (XSS) Attack in Cybersecurity

Dora

Nemoga

2021

JCP

View full text Add to dashboard Cite

In this work, we tackle a frequent problem that frequently occurs in the cybersecurity field which is the exploitation of websites by XSS attacks, which are nowadays considered a complicated attack. These types of attacks aim to execute malicious scripts in a web browser of the client by including code in a legitimate web page. A serious matter is when a website accepts the “user-input” option. Attackers can exploit the web application (if vulnerable), and then steal sensitive data (session cookies, passwords, credit cards, etc.) from the server and/or from the client. However, the difficulty of the exploitation varies from website to website. Our focus is on the usage of ontology in cybersecurity against XSS attacks, on the importance of the ontology, and its core meaning for cybersecurity. We explain how a vulnerable website can be exploited, and how different JavaScript payloads can be used to detect vulnerabilities. We also enumerate some tools to use for an efficient analysis. We present detailed reasoning on what can be done to improve the security of a website in order to resist attacks, and we provide supportive examples. Then, we apply an ontology model against XSS attacks to strengthen the protection of a web application. However, we note that the existence of ontology does not improve the security itself, but it has to be properly used and should require a maximum of security layers to be taken into account.

show abstract

Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

Cited by 11 publications

References 23 publications

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Ontology for Cross-Site-Scripting (XSS) Attack in Cybersecurity

Contact Info

Product

Resources

About