On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Abstract: The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security t… Show more

“…IAST tools also involve active real-time interaction with the application being tested for vulnerabilities, similar to dynamic analysis. An agent of the tool is integrated with the server of the application so that the tool monitors all the requests, code, and data flow within the application [11]. The code of the application pertaining to those requests and data flow is scanned for vulnerabilities.…”

“…Heijstek [7] also mentioned that both IAST and RASP are emerging tools for secure DevOps and CI/CD environments. Tudela et al [29] worked on combining SAST, DAST, and IAST security analysis techniques, applied against the OWASP Benchmark project. Miao et al [30] provided stratigies of integrating RASP protection policies in a security information and event management framework.…”

“…Tudela et al [11] compared the effectiveness of SAST, DAST, and IAST tools by running them against the OWASP Benchmark project. The OWASP Benchmark project [32] is a collection of thousands of test cases developed primarily in Java.…”

“…b Eleven (11) vulnerabilities found using IAST were associated with both A01 and A07 c Two (2) vulnerabilities found using IAST were associated with both A03 and A04 d Two (2) vulnerabilities found using IAST were associated with both A03 and A05 e Two (2) vulnerabilities found using IAST were associated with both A03 and A08 f Thirteen (13) vulnerabilities found using IAST were associated with both A02 and A05 g Eight (8) vulnerabilities found using IAST were associated with both A03 and A09…”

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

“…IAST tools also involve active real-time interaction with the application being tested for vulnerabilities, similar to dynamic analysis. An agent of the tool is integrated with the server of the application so that the tool monitors all the requests, code, and data flow within the application [11]. The code of the application pertaining to those requests and data flow is scanned for vulnerabilities.…”

“…Heijstek [7] also mentioned that both IAST and RASP are emerging tools for secure DevOps and CI/CD environments. Tudela et al [29] worked on combining SAST, DAST, and IAST security analysis techniques, applied against the OWASP Benchmark project. Miao et al [30] provided stratigies of integrating RASP protection policies in a security information and event management framework.…”

“…Tudela et al [11] compared the effectiveness of SAST, DAST, and IAST tools by running them against the OWASP Benchmark project. The OWASP Benchmark project [32] is a collection of thousands of test cases developed primarily in Java.…”

“…b Eleven (11) vulnerabilities found using IAST were associated with both A01 and A07 c Two (2) vulnerabilities found using IAST were associated with both A03 and A04 d Two (2) vulnerabilities found using IAST were associated with both A03 and A05 e Two (2) vulnerabilities found using IAST were associated with both A03 and A08 f Thirteen (13) vulnerabilities found using IAST were associated with both A02 and A05 g Eight (8) vulnerabilities found using IAST were associated with both A03 and A09…”

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

“…The attacker uses malicious SQL commands to manipulate authentication so the information in the database can be exploited illegally [4]. The Open Web Application Security Project (OWASP) puts SQL injection as the top 10 vulnerabilities [5]. The list order of the top 10 vulnerabilities is SQL Injection, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring [6], [7].…”

The Reliability Analysis for Information Security Metrics in Academic Environment

Open Source Solutions for Vulnerability Assessment: A Comparative Analysis