Effort Estimates on Web Application Vulnerability Discovery

Abstract: Web application vulnerabilities are widely considered a serious concern. However, there are as of yet scarce data comparing the effectiveness of different security countermeasures or detailing the magnitude of the security issues associated with web applications. This paper studies the effort that is required by a professional penetration tester to find an input validation vulnerability in an enterprise web application that has been developed in the presence or absence of four security measures: (i) developer … Show more

“…Consulting experts is a frequent practice by both researchers and practitioners. For example, it has been employed by academia to measure a range of different aspects, from very abstract measures such as overall risk (Ryan et al, 2012) to more concrete measures such as the effort required to discover novel web application vulnerabilities (Holm et al, 2013a); it is frequently employed by practitioners to measure the security of their systems; it was used to create the CVSS scoring algorithm; it is used to characterize vulnerabilities according to CVSS metrics.…”

“…Expert judgment is frequently used to estimate phenomena that otherwise are difficult to measure (Cooke, 1991). In the domain of cyber security, it has been employed to measure a range of different aspects, from very abstract measures such as overall risk (Ryan et al, 2012) to more concrete measures such as the effort required to discover novel web application vulnerabilities (Holm et al, 2013a). Expert judgment was used to create the CVSS itself and is used to assign states to CVSS Base Score submetrics for new vulnerabilities.…”

An expert-based investigation of the Common Vulnerability Scoring System

“…Consulting experts is a frequent practice by both researchers and practitioners. For example, it has been employed by academia to measure a range of different aspects, from very abstract measures such as overall risk (Ryan et al, 2012) to more concrete measures such as the effort required to discover novel web application vulnerabilities (Holm et al, 2013a); it is frequently employed by practitioners to measure the security of their systems; it was used to create the CVSS scoring algorithm; it is used to characterize vulnerabilities according to CVSS metrics.…”

“…Expert judgment is frequently used to estimate phenomena that otherwise are difficult to measure (Cooke, 1991). In the domain of cyber security, it has been employed to measure a range of different aspects, from very abstract measures such as overall risk (Ryan et al, 2012) to more concrete measures such as the effort required to discover novel web application vulnerabilities (Holm et al, 2013a). Expert judgment was used to create the CVSS itself and is used to assign states to CVSS Base Score submetrics for new vulnerabilities.…”

An expert-based investigation of the Common Vulnerability Scoring System

“…However, the model is still very much a prototype. Currently, we are working on extending its functionality to include, e.g., time estimates for different attacks, web application attacks [8] and network vulnerability scanning [9]. We are also planning to conduct more case studies to estimate the usability and ease of use of CySeMoL.…”

CySeMoL: A tool for cyber security analysis of enterprises

“…P 2 CySeMoL adds four important assets to the scope of Cy-SeMoL: SocialZone, NetworkVulnerabilityScanner [32], We-bApplication [33], [34] and WebApplicationFirewall [33], [35].…”

“…A WebApplication [33], [34] is a software written in a script language that is published by an HTTP server (an ApplicationServer). It is typically a combination of both server-side scripts (e.g., PHP) and client-side scripts (e.g., JavaScript).…”

P<inline-formula><tex-math>$^{2}$</tex-math><alternatives> <inline-graphic xlink:type="simple" xlink:href="holm-ieq1-2382574.gif"/></alternatives></inline-formula>CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language