Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted b...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers, materials & continua materials & continua, 2020-01, Vol.64 (3), p.1555-1577
Hauptverfasser: R. Bermejo Higuera, Juan, Bermejo Higuera, Javier, A. Sicilia Montalvo, Juan, Cubo Villalba, Javier, Jos Nombela P閞ez, Juan
Format: Artikel
Sprache:eng
Schlagworte:
Analyzers
Applications programs
Benchmarks
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 1577
container_issue 3
container_start_page 1555
container_title Computers, materials & continua
container_volume 64
creator R. Bermejo Higuera, Juan
Bermejo Higuera, Javier
A. Sicilia Montalvo, Juan
Cubo Villalba, Javier
Jos Nombela P閞ez, Juan
description To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance. Given the significant cost of commercial tools, this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project. Thus, the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project. The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.
doi_str_mv 10.32604/cmc.2020.010885
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2419203446</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2419203446</sourcerecordid><originalsourceid>FETCH-LOGICAL-c313t-5c952bb4045d2122207dd5fb5cedf137d3ac43caf185d80bbab6fbe1dfa4ffee3</originalsourceid><addsrcrecordid>eNpNkE1LAzEYhIMoWKt3jwHPW_O53R5r_YRChVZ7DEk2sanbzZpkwf57U-vB0zsMw_DOA8A1RiNKSsRu9U6PCCJohDCqKn4CBpizsiCElKf_9Dm4iHGLEC3pBA3A951p9WYnw6drP-C064KXegOThzO_62QwcG3UwW-clsn5NsJlykLDaSubfXQRrrxvIrw3yeh0KFmsp8vX7HZwZVq4NLoPLu3he9-0JkjlGpeciZfgzMommqu_OwRvjw-r2XMxXzy9zKbzQlNMU8H1hBOlGGK8JjgPQOO65lZxbWqL6bimUjOqpcUVryuklFSlVQbXVjJrjaFDcHPszcu-ehOT2Po-5N-jIAxPCKKMlTmFjikdfIzBWNEFl6nsBUbil6_IfMWBrzjypT_60XCa</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2419203446</pqid></control><display><type>article</type><title>Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities</title><source>EZB-FREE-00999 freely available EZB journals</source><creator>R. Bermejo Higuera, Juan ; Bermejo Higuera, Javier ; A. Sicilia Montalvo, Juan ; Cubo Villalba, Javier ; Jos Nombela P閞ez, Juan</creator><creatorcontrib>R. Bermejo Higuera, Juan ; Bermejo Higuera, Javier ; A. Sicilia Montalvo, Juan ; Cubo Villalba, Javier ; Jos Nombela P閞ez, Juan</creatorcontrib><description>To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance. Given the significant cost of commercial tools, this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project. Thus, the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project. The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.</description><identifier>ISSN: 1546-2226</identifier><identifier>ISSN: 1546-2218</identifier><identifier>EISSN: 1546-2226</identifier><identifier>DOI: 10.32604/cmc.2020.010885</identifier><language>eng</language><publisher>Henderson: Tech Science Press</publisher><subject>Analyzers ; Applications programs ; Benchmarks</subject><ispartof>Computers, materials &amp; continua, 2020-01, Vol.64 (3), p.1555-1577</ispartof><rights>2020. This work is licensed under https://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c313t-5c952bb4045d2122207dd5fb5cedf137d3ac43caf185d80bbab6fbe1dfa4ffee3</citedby></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27924,27925</link.rule.ids></links><search><creatorcontrib>R. Bermejo Higuera, Juan</creatorcontrib><creatorcontrib>Bermejo Higuera, Javier</creatorcontrib><creatorcontrib>A. Sicilia Montalvo, Juan</creatorcontrib><creatorcontrib>Cubo Villalba, Javier</creatorcontrib><creatorcontrib>Jos Nombela P閞ez, Juan</creatorcontrib><title>Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities</title><title>Computers, materials &amp; continua</title><description>To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance. Given the significant cost of commercial tools, this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project. Thus, the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project. The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.</description><subject>Analyzers</subject><subject>Applications programs</subject><subject>Benchmarks</subject><issn>1546-2226</issn><issn>1546-2218</issn><issn>1546-2226</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2020</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><recordid>eNpNkE1LAzEYhIMoWKt3jwHPW_O53R5r_YRChVZ7DEk2sanbzZpkwf57U-vB0zsMw_DOA8A1RiNKSsRu9U6PCCJohDCqKn4CBpizsiCElKf_9Dm4iHGLEC3pBA3A951p9WYnw6drP-C064KXegOThzO_62QwcG3UwW-clsn5NsJlykLDaSubfXQRrrxvIrw3yeh0KFmsp8vX7HZwZVq4NLoPLu3he9-0JkjlGpeciZfgzMommqu_OwRvjw-r2XMxXzy9zKbzQlNMU8H1hBOlGGK8JjgPQOO65lZxbWqL6bimUjOqpcUVryuklFSlVQbXVjJrjaFDcHPszcu-ehOT2Po-5N-jIAxPCKKMlTmFjikdfIzBWNEFl6nsBUbil6_IfMWBrzjypT_60XCa</recordid><startdate>20200101</startdate><enddate>20200101</enddate><creator>R. Bermejo Higuera, Juan</creator><creator>Bermejo Higuera, Javier</creator><creator>A. Sicilia Montalvo, Juan</creator><creator>Cubo Villalba, Javier</creator><creator>Jos Nombela P閞ez, Juan</creator><general>Tech Science Press</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SR</scope><scope>8BQ</scope><scope>8FD</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>JG9</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope></search><sort><creationdate>20200101</creationdate><title>Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities</title><author>R. Bermejo Higuera, Juan ; Bermejo Higuera, Javier ; A. Sicilia Montalvo, Juan ; Cubo Villalba, Javier ; Jos Nombela P閞ez, Juan</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c313t-5c952bb4045d2122207dd5fb5cedf137d3ac43caf185d80bbab6fbe1dfa4ffee3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2020</creationdate><topic>Analyzers</topic><topic>Applications programs</topic><topic>Benchmarks</topic><toplevel>online_resources</toplevel><creatorcontrib>R. Bermejo Higuera, Juan</creatorcontrib><creatorcontrib>Bermejo Higuera, Javier</creatorcontrib><creatorcontrib>A. Sicilia Montalvo, Juan</creatorcontrib><creatorcontrib>Cubo Villalba, Javier</creatorcontrib><creatorcontrib>Jos Nombela P閞ez, Juan</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><jtitle>Computers, materials &amp; continua</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>R. Bermejo Higuera, Juan</au><au>Bermejo Higuera, Javier</au><au>A. Sicilia Montalvo, Juan</au><au>Cubo Villalba, Javier</au><au>Jos Nombela P閞ez, Juan</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities</atitle><jtitle>Computers, materials &amp; continua</jtitle><date>2020-01-01</date><risdate>2020</risdate><volume>64</volume><issue>3</issue><spage>1555</spage><epage>1577</epage><pages>1555-1577</pages><issn>1546-2226</issn><issn>1546-2218</issn><eissn>1546-2226</eissn><abstract>To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance. Given the significant cost of commercial tools, this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project. Thus, the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project. The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.</abstract><cop>Henderson</cop><pub>Tech Science Press</pub><doi>10.32604/cmc.2020.010885</doi><tpages>23</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 1546-2226
ispartof Computers, materials & continua, 2020-01, Vol.64 (3), p.1555-1577
issn 1546-2226
1546-2218
1546-2226
language eng
recordid cdi_proquest_journals_2419203446
source EZB-FREE-00999 freely available EZB journals
subjects Analyzers
Applications programs
Benchmarks
title Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-23T18%3A22%3A03IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Benchmarking%20Approach%20to%20Compare%20Web%20Applications%20Static%20Analysis%20Tools%20Detecting%20OWASP%20Top%20Ten%20Security%20Vulnerabilities&rft.jtitle=Computers,%20materials%20&%20continua&rft.au=R.%20Bermejo%20Higuera,%20Juan&rft.date=2020-01-01&rft.volume=64&rft.issue=3&rft.spage=1555&rft.epage=1577&rft.pages=1555-1577&rft.issn=1546-2226&rft.eissn=1546-2226&rft_id=info:doi/10.32604/cmc.2020.010885&rft_dat=%3Cproquest_cross%3E2419203446%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2419203446&rft_id=info:pmid/&rfr_iscdi=true