On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications
The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have diffe...
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2020-12-01
|
| Series: | Applied Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2076-3417/10/24/9119 |
| _version_ | 1797544041917710336 |
|---|---|
| author | Francesc Mateo Tudela Juan-Ramón Bermejo Higuera Javier Bermejo Higuera Juan-Antonio Sicilia Montalvo Michael I. Argyros |
| author_facet | Francesc Mateo Tudela Juan-Ramón Bermejo Higuera Javier Bermejo Higuera Juan-Antonio Sicilia Montalvo Michael I. Argyros |
| author_sort | Francesc Mateo Tudela |
| collection | DOAJ |
| description | The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination. |
| first_indexed | 2024-03-10T13:53:52Z |
| format | Article |
| id | doaj.art-04e68d57379d4a85b6e7127fa072373d |
| institution | Directory Open Access Journal |
| issn | 2076-3417 |
| language | English |
| last_indexed | 2024-03-10T13:53:52Z |
| publishDate | 2020-12-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Applied Sciences |
| spelling | doaj.art-04e68d57379d4a85b6e7127fa072373d2023-11-21T01:46:41ZengMDPI AGApplied Sciences2076-34172020-12-011024911910.3390/app10249119On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web ApplicationsFrancesc Mateo Tudela0Juan-Ramón Bermejo Higuera1Javier Bermejo Higuera2Juan-Antonio Sicilia Montalvo3Michael I. Argyros4Escuela Superior de Ingeniería y Tecnología, Universidad Internacional de La Rioja, Avda. de La Paz 137, 26006 Logroño, La Rioja, SpainEscuela Superior de Ingeniería y Tecnología, Universidad Internacional de La Rioja, Avda. de La Paz 137, 26006 Logroño, La Rioja, SpainEscuela Superior de Ingeniería y Tecnología, Universidad Internacional de La Rioja, Avda. de La Paz 137, 26006 Logroño, La Rioja, SpainEscuela Superior de Ingeniería y Tecnología, Universidad Internacional de La Rioja, Avda. de La Paz 137, 26006 Logroño, La Rioja, SpainDepartment of Computing and Technology, Cameron University, Lawton, OK 73505, USAThe design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination.https://www.mdpi.com/2076-3417/10/24/9119web applicationsecurity vulnerabilityanalysis security testingstatic analysis security testingdynamic analysis security testinginteractive analysis security testing |
| spellingShingle | Francesc Mateo Tudela Juan-Ramón Bermejo Higuera Javier Bermejo Higuera Juan-Antonio Sicilia Montalvo Michael I. Argyros On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications Applied Sciences web application security vulnerability analysis security testing static analysis security testing dynamic analysis security testing interactive analysis security testing |
| title | On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications |
| title_full | On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications |
| title_fullStr | On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications |
| title_full_unstemmed | On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications |
| title_short | On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications |
| title_sort | on combining static dynamic and interactive analysis security testing tools to improve owasp top ten security vulnerability detection in web applications |
| topic | web application security vulnerability analysis security testing static analysis security testing dynamic analysis security testing interactive analysis security testing |
| url | https://www.mdpi.com/2076-3417/10/24/9119 |
| work_keys_str_mv | AT francescmateotudela oncombiningstaticdynamicandinteractiveanalysissecuritytestingtoolstoimproveowasptoptensecurityvulnerabilitydetectioninwebapplications AT juanramonbermejohiguera oncombiningstaticdynamicandinteractiveanalysissecuritytestingtoolstoimproveowasptoptensecurityvulnerabilitydetectioninwebapplications AT javierbermejohiguera oncombiningstaticdynamicandinteractiveanalysissecuritytestingtoolstoimproveowasptoptensecurityvulnerabilitydetectioninwebapplications AT juanantoniosiciliamontalvo oncombiningstaticdynamicandinteractiveanalysissecuritytestingtoolstoimproveowasptoptensecurityvulnerabilitydetectioninwebapplications AT michaeliargyros oncombiningstaticdynamicandinteractiveanalysissecuritytestingtoolstoimproveowasptoptensecurityvulnerabilitydetectioninwebapplications |