Meng Yan,Xin Xia,Xiaohong Zhang,Ling Xu,Dan Yang,Shanping Li

DOI: https://doi.org/10.1007/s11432-018-9608-3

2019-01-01

Science China Information Sciences

Abstract:Quality model is regarded as a well-accepted approach for assessing, managing and improving software product quality. There are three categories of quality models for software products, i.e., definition model, assessment model, and prediction model. Quality assessment model(QAM) is a metric-based approach to assess the software quality. It is typically regarded as of high importance for its clear method on how to assess a system. However, the current state-of-the-art in QAM research is under limited investigation.To address this gap, the paper provides an organized and synthesized summary of the current QAMs. In detail, we conduct a systematic mapping study(SMS) for structuring the relevant articles. We obtain a total of 716 papers from the five databases, and 31 papers are selected as relevant studies at last. In summary, our work focuses on QAMs from the following aspects: software metrics, quality factors, aggregation methods,evaluation methods and tool support. According to the analysis results, our work discovers five needs that researchers in this area should continue to address:(1) new method and criteria to tailor a quality framework(i.e., structure of software metrics and quality factors) according to different specifics,(2) systematic investigations on the effectiveness, strength and weakness of different aggregation methods to guide the method selection in different context,(3) more investigations on evaluating QAMs in the context of industrial cases,(4) further investigations or real-world case studies on the QAMs related tools, and(5) building a public and diverse software benchmark which can be adopted in different application context.

Yan Wu,Jingyi Su,David D. Moran,Chris D. Near

DOI: https://doi.org/10.48550/arXiv.2301.06215

2023-01-15

Software Engineering

Abstract:The mass production of complex software has made it impossible to manually test it for security vulnerabilities. Automated security testing tools come in a variety of flavors, function at various stages of software development, and target different categories of software vulnerabilities. It is great that we have a plethora of automated tools to choose from, but it is a problem that their adoption and recognition are not prominent. The purpose of this study is to explore the possibilities of existing techniques while also broadening the horizon by exploring the future of security testing tools and related techniques.

Zijing Yin,Yiwen Xu,Fuchen Ma,Haohao Gao,Lei Qiao,Yu Jiang

DOI: https://doi.org/10.1145/3517036

IF: 3.685

2023-01-31

ACM Transactions on Software Engineering and Methodology

Abstract:Scanners are commonly applied for detecting vulnerabilities in web applications. Various scanners with different strategies are widely in use, but their performance is challenged by the increasing diversity of target applications that have more complex attack surfaces (i.e., website paths) and covert vulnerabilities that can only be exploited by more sophisticated attack vectors (i.e., payloads). In this paper, we propose Scanner++, a framework that improves web vulnerability detection of existing scanners through combining their capabilities with attack intent synchronization. We design Scanner++ as a proxy-based architecture while using a package-based intent synchronization approach. Scanner++ first uses a purification mechanism to aggregate and refine attack intents, consisting of attack surfaces and attack vectors extracted from the base scanners’ request packets. Then, Scanner++ uses a runtime intent synchronization mechanism to select relevant attack intents according to the scanners’ detection spots to guide their scanning process. Consequently, base scanners can expand their attack surfaces, generate more diverse attack vectors and achieve better vulnerability detection performance. For evaluation, we implemented and integrated Scanner++ together with four widely used scanners, BurpSuite, AWVS, Arachni, and ZAP, testing it on ten benchmark web applications and three well-tested real-world web applications of a critical financial platform from our industry partner. Working under the Scanner++ framework helps BurpSuite, AWVS, Arachni, and ZAP cover 15.26%, 37.14%, 59.21%, 68.54% more pages, construct 12.95×, 1.13×, 15.03×, 52.66× more attack packets, and discover 77, 55, 77, 176 more bugs, respectively. Furthermore, Scanner++ detected eight serious previously unknown vulnerabilities on real-world applications, while the base scanners only found three of them.

computer science, software engineering

Osejobe Ehichoya,Chinwuba Christian Nnaemeka

DOI: https://doi.org/10.48550/arXiv.2212.12308

2022-12-13

Cryptography and Security

Abstract:Web services are becoming business-critical components, often deployed with critical software bugs that can be maliciously explored. Web vulnerability scanners allow the detection of security vulnerabilities in web services by stressing the service from the point of view of an attacker. However, research and practice show that different scanners perform differently in vulnerability detection. This paper presents a qualitative evaluation of security vulnerabilities found in web applications. Some well-known vulnerability scanners have been used to identify security flaws in web service implementations. Many vulnerabilities have been observed, which confirms that many services are deployed without proper security testing. Additionally, having reviewed and considered several articles, the differences in the vulnerabilities detected and the high number of false positives observed highlight the limitations of web vulnerability scanners in detecting security vulnerabilities in web services. Furthermore, this work will discuss the static analysis approach for discovering security vulnerabilities in web applications and complimenting it with proven research findings or solutions. These vulnerabilities include broken access control, cross-site scripting, SQL injections, buffer overflow, unrestricted file upload, broken authentications, etc. Web applications are becoming mission-essential components for businesses, potentially risking having several software vulnerabilities that hackers can exploit maliciously. A few Vulnerability scanners have been used to detect security weaknesses in web service applications, and many vulnerabilities have been discovered, thus confirming that many online apps are launched without sufficient security testing.

Emre Erturk,Angel Rajan

DOI: https://doi.org/10.48550/arXiv.1706.08017

2017-06-25

Cryptography and Security

Abstract:Cloud security is one of the biggest concerns for many companies. The growth in the number and size of websites increases the need for better securing those websites. Manual testing and detection of web vulnerabilities can be very time consuming. Automated Web Vulnerability Scanners (WVS) help with the detection of vulnerabilities in web applications. Acunetix is one of the widely used vulnerability scanners. Acunetix is also easy to implement and to use. The scan results not only provide the details of the vulnerabilities, but also give information about fixing the vulnerabilities. AcuSensor and AcuMonitor (technologies used by Acunetix) help generate more accurate potential vulnerability results. One of the purposes of this paper is to orient current students of computer security with using vulnerability scanners. Secondly, this paper provides a literature review related to the topic of security vulnerability scanners. Finally, web vulnerabilities are addressed from the mobile device and browser perspectives.

Marc Rennhard,Malte Kushnir,Olivier Favre,Damiano Esposito,Valentin Zahnd

DOI: https://doi.org/10.1007/s42979-022-01271-1

2022-07-16

SN Computer Science

Abstract:The importance of automated and reproducible security testing of web applications is growing, driven by increasing security requirements, short software development cycles, and constraints with respect to time and budget. Existing automated security testing tools are already well suited to detect some types of vulnerabilities, e.g., SQL injection or cross-site scripting vulnerabilities. However, other vulnerability types are much harder to uncover in an automated way. One important representative of this type are access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect HTTP GET request-based access control vulnerabilities in web applications is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort, which in turn enables frequent and reproducible testing. An evaluation with seven web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives low.

Stefan Marksteiner,Harald Lernbeiß,Bernhard Jandl-Scherf

DOI: https://doi.org/10.1145/2994475.2994479

2017-10-03

Abstract:As today's organizational computer networks are ever evolving and becoming more and more complex, finding potential vulnerabilities and conducting security audits has become a crucial element in securing these networks. The first step in auditing a network is reconnaissance by mapping it to get a comprehensive overview over its structure. The growing complexity, however, makes this task increasingly effortful, even more as mapping (instead of plain scanning), presently, still involves a lot of manual work. Therefore, the concept proposed in this paper automates the scanning and mapping of unknown and non-cooperative computer networks in order to find security weaknesses or verify access controls. It further helps to conduct audits by allowing comparing documented with actual networks and finding unauthorized network devices, as well as evaluating access control methods by conducting delta scans. It uses a novel approach of augmenting data from iteratively chained existing scanning tools with context, using genuine analytics modules to allow assessing a network's topology instead of just generating a list of scanned devices. It further contains a visualization model that provides a clear, lucid topology map and a special graph for comparative analysis. The goal is to provide maximum insight with a minimum of a priori knowledge.

Cryptography and Security

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Navneet Bhatt,Jasmine Kaur,Adarsh Anand,Omar H. Alhazmi

DOI: https://doi.org/10.32604/cmc.2022.026554

2022-01-01

Abstract:Software developers endeavor to build their products with the least number of bugs. Despite this, many vulnerabilities are detected in software that threatens its integrity. Various automated software i.e., vulnerability scanners, are available in the market which helps detect and manage vulnerabilities in a computer, application, or a network. Hence, the choice of an appropriate vulnerability scanner is crucial to ensure efficient vulnerability management. The current work serves a dual purpose, first, to identify the key factors which affect the vulnerability discovery process in a network. The second, is to rank the popular vulnerability scanners based on the identified attributes. This will aid the firm in determining the best scanner for them considering multiple aspects. The multi-criterion decision making based ranking approach has been discussed using the Intuitionistic Fuzzy set (IFS) and Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) to rank the various scanners. Using IFS TOPSIS, the opinion of a whole group could be simultaneously considered in the vulnerability scanner selection. In this study, five popular vulnerability scanners, namely, Nessus, Fsecure Radar, Greenbone, Qualys, and Nexpose have been considered. The inputs of industry specialists i.e., people who deal in software security and vulnerability management process have been taken for the ranking process. Using the proposed methodology, a hierarchical classification of the various vulnerability scanners could be achieved. The clear enumeration of the steps allows for easy adaptability of the model to varied situations. This study will help product developers become aware of the needs of the market and design better scanners. And from the user's point of view, it will help the system administrators in deciding which scanner to deploy depending on the company's needs and preferences. The current work is the first to use a Multi Criterion Group Decision Making technique in vulnerability scanner selection.

computer science, information systems,materials science, multidisciplinary

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

João Pedro Seara,Carlos Serrão

DOI: https://doi.org/10.3390/electronics13050873

IF: 2.9

2024-02-24

Electronics

Abstract:Cybersecurity failures have become increasingly detrimental to organizations worldwide, impacting their finances, operations, and reputation. This issue is worsened by the scarcity of cybersecurity professionals. Moreover, the specialization required for cybersecurity expertise is both costly and time-consuming. In light of these challenges, this study has concentrated on automating cybersecurity processes, particularly those pertaining to continuous vulnerability detection. A cybersecurity vulnerability scanner was developed, which is freely available to the community and does not necessitate any prior expertise from the operator. The effectiveness of this tool was evaluated by IT companies and systems engineers, some of whom had no background in cybersecurity. The findings indicate that the scanner proved to be efficient, precise, and easy to use. It assisted the operators in safeguarding their systems in an automated fashion, as part of their security audit strategy.

engineering, electrical & electronic,computer science, information systems,physics, applied

Goran Piskachev,Stefan Dziwok,Thorsten Koch,Sven Merschjohan,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.2208.06136

2022-08-12

Abstract:As security becomes more relevant for many companies, the popularity of static program analysis (SPA) tools is increasing. In this paper, we target the use of SPA tools among companies in Germany with a focus on security. We give insights on the current issues and the developers' willingness to configure the tools to overcome these issues. Compared to previous studies, our study considers the companies' culture and processes for using SPA tools. We conducted an online survey with 256 responses and semi-structured interviews with 17 product owners and executives from multiple companies. Our results show a diversity in the usage of tools. Only half of our survey participants use SPA tools. The free tools tend to be more popular among software developers. In most companies, software developers are encouraged to use free tools, whereas commercial tools can be requested. However, the product owners and executives in our interviews reported that their developers do not request new tools. We also find out that automatic security checks with tools are rarely performed on each release.

Cryptography and Security,Software Engineering

Shuji Morisaki,Michiyo Wakimoto,Norimitsu Kasai

DOI: https://doi.org/10.1109/access.2024.3360275

IF: 3.9

2024-02-10

IEEE Access

Abstract:In environments involving a variety of connected devices and systems, there is an ever-increasing demand for automated adaptation. To ensure that all threats are identified and manageable in such environments, quality assurance activities including testing and inspections in design-time should focus on assessing the reliability of critical adaptations, which may threaten life, economic property, or important information. This work proposes an approach for identifying and evaluating critical adaptations on the basis of their automation level, reliability, detectability, and recoverability by decomposing adaptations into four stages: monitor, analyze, plan, and execute. This work also empirically evaluates the effectiveness of the proposed approach by assessing a real safety-critical telecommunication system with critical adaptation features and comparing the results with the STAMP (System Theoretic Accident Model and Processes)/STPA (System-Theoretic Process Analysis) approach. The results of the evaluation indicated that the proposed approach could assess critical adaptation features provided by the system with reasonable effort. Additionally, structured views provided by the proposed approach enable efficient quality assurance activities. In the evaluation, the proposed approach achieves similar results to the STAMP/STPA approach but requires 33% less effort.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiang Zhen

Abstract:The paper introduces the current severe situation of the Web security, and brings up the necessity to design Web vulnerability scanning software. Then it analyzes Web crawler, construction of website structure tree, and detection methods of SQL injection, XSS, integer overflow and URL redirection, which provides a guarantee for developing the system successfully. The paper also describes the software architecture and the design of modules. The final testing results prove that the software is able to detect the common types of vulnerabilities rapidly and comprehensively. The software has been published.

Computer Science

Anh Nguyen-Duc,Manh Viet Do,Quan Luong Hong,Kiem Nguyen Khac

DOI: https://doi.org/10.48550/arXiv.2103.08010

2021-03-24

Abstract:Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development and security assessment poses various technical and managerial challenges. In this work, we reported a longitudinal case study of adopting SAST as a part of a human-driven security assessment for an open-source e-government project. We described how SASTs are selected, evaluated, and combined into a novel approach for software security assessment. The approach was preliminarily evaluated using semi-structured interviews. Our result shows that (1) while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tools and (2) SAST tools should be used towards a practical performance and in the combination with triangulated approaches for human-driven vulnerability assessment in real-world projects.

Software Engineering

R. Plösch,H. Gruber,A. Hentschel,Ch. Körner,G. Pomberger,S. Schiffer,M. Saft,S. Storck

DOI: https://doi.org/10.1007/s11334-007-0039-7

2008-01-12

Innovations in Systems and Software Engineering

Abstract:There is empirical evidence that internal software quality, e.g., the quality of source code, has great impact on the overall quality of software. Besides well-known manual inspection and review techniques for source code, more recent approaches utilize tool-based static code analysis for the evaluation of internal software quality. Despite the high potential of code analyzers the application of tools alone cannot replace well-founded expert opinion. Knowledge, experience and fair judgment are indispensable for a valid, reliable quality assessment, which is accepted by software developers and managers. The EMISQ method (Evaluation Method for Internal Software Quality), guides the assessment process for all stakeholders of an evaluation project. The method is supported by the Software Product Quality Reporter (SPQR), a tool which assists evaluators with their analysis and rating tasks and provides support for generating code quality reports. The application of SPQR has already proved its usefulness in various code assessment projects around the world. This paper introduces the EMISQ method and describes the tool support needed for an efficient and effective evaluation of internal software quality.

Dinesh Reddy Chittibala

DOI: https://doi.org/10.47941/ijce.1737

2024-03-21

Abstract:Purpose: This article aims to shed light on the transformative role of Open Source Software (OSS) in digital infrastructure and the accompanying security challenges. It highlights the critical need for automated code scanning technologies to address vulnerabilities stemming from coding errors, lack of secure coding practices, and the rapid development pace. Methodology: Through a comprehensive analysis of static, dynamic, and interactive code scanning methods, along with the exploration of AI and ML integration, this study examines scalable and efficient approaches to enhance detection capabilities early in the development lifecycle. Findings: While automated code scanning technologies have made significant strides in detecting and mitigating vulnerabilities, there remain notable research and methodology gaps, especially in technology scalability and the effectiveness of these methods. Unique Contribution to Theory, Policy, and Practice: This article posits a forward-looking perspective on automated code scanning, advocating for intelligent, collaborative, and integrated security measures in OSS. It emphasizes the indispensable role of community collaboration and open-source contributions in advancing these technologies, crucial for the proactive identification and mitigation of security vulnerabilities, thereby safeguarding the digital ecosystem's integrity and reliability.

Jinfeng Li

DOI: https://doi.org/10.33166/AETiC.2020.03.001

2020-07-04

Abstract:The delivery of a framework in place for secure application development is of real value for application development teams to integrate security into their development life cycle, especially when a mobile or web application moves past the scanning stage and focuses increasingly on the remediation or mitigation phase based on static application security testing (SAST). For the first time, to the author's knowledge, the industry-standard Open Web Application Security Project (OWASP) top 10 vulnerabilities and CWE/SANS top 25 most dangerous software errors are synced up in a matrix with Checkmarx vulnerability queries, producing an application security framework that helps development teams review and address code vulnerabilities, minimise false positives discovered in static scans and penetration tests, targeting an increased accuracy of the findings. A case study is conducted for vulnerabilities scanning of a proof-of-concept mobile malware detection app. Mapping the OWASP/SANS with Checkmarx vulnerabilities queries, flaws and vulnerabilities are demonstrated to be mitigated with improved efficiency.

Cryptography and Security,Software Engineering

Hui Guan,Weiru Chen,Lin Liu,Hongji Yang

2012-01-01

Abstract:Risk assessment has been getting increased attention as the new vulnerabilities and threats are emerging on daily basis. The popularity and complexity of web application present challenges to the security implementation for web engineering. It is well known that the earlier to perform risk assessment for software, the less cost needed to mitigate the security risks. However, quantitative estimation of security in the earlier stage of software development life cycle is largely missing. In this paper, we propose a quantitative approach to perform risk assessment at design stage for web application which is based on multiple security vectors of asset, threat and vulnerability. An environment-driven method is proposed to elicit threats to the system. In the end, the risk assessment methodology is applied on a customer goods case study.

Arthur-Jozsef Molnar,Alexandra Neamţu,Simona Motogna

DOI: https://doi.org/10.1007/978-3-030-40223-5_8

2020-09-03

Abstract:Computing devices and associated software govern everyday life, and form the backbone of safety critical systems in banking, healthcare, automotive and other fields. Increasing system complexity, quickly evolving technologies and paradigm shifts have kept software quality research at the forefront. Standards such as ISO's 25010 express it in terms of sub-characteristics such as maintainability, reliability and security. A significant body of literature attempts to link these subcharacteristics with software metric values, with the end goal of creating a metric-based model of software product quality. However, research also identifies the most important existing barriers. Among them we mention the diversity of software application types, development platforms and languages. Additionally, unified definitions to make software metrics truly language-agnostic do not exist, and would be difficult to implement given programming language levels of variety. This is compounded by the fact that many existing studies do not detail their methodology and tooling, which precludes researchers from creating surveys to enable data analysis on a larger scale. In our paper, we propose a comprehensive study of metric values in the context of three complex, open-source applications. We align our methodology and tooling with that of existing research, and present it in detail in order to facilitate comparative evaluation. We study metric values during the entire 18-year development history of our target applications, in order to capture the longitudinal view that we found lacking in existing literature. We identify metric dependencies and check their consistency across applications and their versions. At each step, we carry out comparative evaluation with existing research and present our results.

Software Engineering