Statistics of software vulnerability detection in certification testing

Barabanov, Alexander; Markov, Alexey; Tsirlov, Valentin

doi:10.1088/1742-6596/1015/4/042033

Cited by 6 publications

(4 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The OWASP Top Ten project brings together the most important vulnerability categories. There are several works that confirm web applications tested did not pass the OWASP Top Ten project [2][3][4]. Web applications in organizations and companies connected through the Internet and Intranets imply that they are used to develop any type of business, but at the same time they have become a valuable target of a great variety of attacks by exploiting the design, implementation or operation vulnerabilities, included in the OWASP Top Ten project, to obtain some type of economic advantage, privileged information, denial, extortion, etc.…”

Section: Web Applications Securitymentioning

confidence: 99%

See 1 more Smart Citation

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Tudela

Higuera

et al. 2020

Applied Sciences

View full text Add to dashboard Cite

The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination.

show abstract

Section: Web Applications Securitymentioning

confidence: 99%

“…Taking into account statistics of security vulnerabilities reported by several studies [2][3][4], the most adequate test bench for using SAST, DAST and IAST tools is OWASP benchmark project [14]. This benchmark is an open source web application in Java language deployed in Apache Tomcat.…”

Section: Benchmark Selectionmentioning

confidence: 99%

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Tudela

Higuera

et al. 2020

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…exploitation and vulnerability prevention, has become a hot topic in the world of information security [1]- [4]. In response to cyberattacks, an effective method is to use a vulnerability database that is more complete, and the vulnerability database is faster to update and monitor the information assets under its jurisdiction, eliminating hidden dangers and ensuring information security [5]- [7].…”

Section: Introductionmentioning

confidence: 99%

An Intelligent Communication Warning Vulnerability Detection Algorithm Based on IoT Technology

Mao¹,

Xu²,

Xu³

2019

IEEE Access

View full text Add to dashboard Cite

This paper mainly studies the vulnerability intelligent early warning technology in the IoT environment, and studies the network security assessment method based on the attack graph association analysis of the IoT environment, and analyzes the attack graph generation algorithm. Firstly, it uses the attack graph technology to establish a network security evaluation model based on the vulnerability association analysis in the IoT environment. The attack graph generation algorithm is improved. The key attack path of the attack graph in the IoT environment is searched according to the node weight value. The key attack path of the network attack graph is used to measure the whole network security, and the security under the IoT environment is given. The measurement calculation model is used to realize the quantitative analysis of the security status of the IoT environment by using the attack graph. Secondly, an intelligent early warning vulnerability detection algorithm based on the dynamic stain propagation model in the IoT environment is proposed, focusing on the introduction of stains and the inspection of stains. A static detection method for early warning vulnerabilities based on the counterexample of the IoT is proposed. Through the flow detection and context sensitive detection, a possible buffer early warning vulnerability is discovered. The driver crawler realizes automatic detection, and uses function hijacking to detect the execution of the stain data. In the experimental environment, compared with the existing tools, the experimental data shows that the algorithm improves the accuracy, recall rate and efficiency of the unfiltered vulnerability of intelligent early warning detection, and proves that the proposed algorithm can effectively detect the vulnerability. INDEX TERMS Security measurement calculation model, IoT, intelligent early warning, vulnerability mining detection.

show abstract

“…Первостепенными задачами экспертного сообщества при этом являются: (функциональная структура, объединяющая более 6000 специалистов из разных военных ведомств и командований) под названием «Завоевание и удержание господства в киберпространстве» 28 . Важное значение в этом контексте имеет также решение НАТО о возможности задействовать статью 5 Вашингтонского договора, предусматривающую коллективную самооборону, в случае кибернападения, хотя при этом подчеркивается, что не любое кибернападение приведет к задействованию статьи 5 29 . Следовательно, в США существует комплексная стратегическая программа обеспечения и поддержания информационного превосходства путем повышения своих возможностей и всестороннего снижения способностей других акторов.…”

unclassified

International Security, Strategic Stability and Information Technologies

Romashkina¹,

Markov²,

Stefanovich³

2020

View full text Add to dashboard Cite

The monograph is devoted to topical issues of international security and strategic stability in the context of accelerated development of information and communication technologies. It justifies the importance of ensuring international information security. The monograph examines the possibility of establishing an ITarms control regime under the UN auspices. Different aspects of regulation of software security systems and of the use of supercomputers in the context of the international information security are examined. The impact of information and communication technologies on strategic stability is analyzed. This monograph is addressed to specialists in the field of information and communication technologies and international security, university lecturers, students and graduate students of universities, as well as a wide range of readers.

show abstract

Statistics of software vulnerability detection in certification testing

Cited by 6 publications

References 9 publications

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

An Intelligent Communication Warning Vulnerability Detection Algorithm Based on IoT Technology

International Security, Strategic Stability and Information Technologies

Contact Info

Product

Resources

About