Security Assessment Based on OWASP Top 10 Using SonarQube and ZAP on Export and Import Applications in the LNSW

It is generally accepted that adopting both static application security testing (SAST) and dynamic application security testing (DAST) approaches is vital for thorough and effective security testing. However, this suggestion has not been comprehensively evaluated, especially with regard to the individual risk categories mentioned in Open Web Application Security Project (OWASP) Top 10:2021 and common weakness enumeration (CWE) Top 25:2023 lists. Also, it is rare to find any evidence-based recommendations for effective tools for detecting vulnerabilities from a specific risk category or severity level. These shortcomings increase both the time and cost of systematic security testing when its need is heightened by increasingly frequent and preventable incidents. This study aims to fill these gaps by empirically testing seventy-five real-world Web applications using four SAST and five DAST tools. Only popular, free, and open-source tools were selected and each Web application was scanned using these nine tools. From the report generated by these tools, we considered two parameters to measure effectiveness: count and severity of the vulnerability found. We also mapped the vulnerabilities to OWASP Top 10:2021 and CWE Top 25:2023 lists. Our results show that using only DAST tools is the preferred option for four OWASP Top 10:2021 risk categories while using only SAST tools is preferred for only three risk categories. Either approach is effective for two of the OWASP Top 10:2021 risk categories. For CWE Top 25:2023 list, all three approaches were equally effective and found vulnerabilities belonging to three risk categories each. We also found that none of the tools were able to detect any vulnerability in one OWASP Top 10:2021 risk category and in eight CWE Top 25:2023 categories. This highlights a critical limitation of popular tools. The most effective DAST tool was OWASP Zed Attack Proxy (ZAP), especially for detecting vulnerabilities in broken access control, insecure design, and security misconfiguration risk categories. Yasca was the best-performing SAST tool, and outperformed all other tools at finding high-severity vulnerabilities. For medium-severity and low-severity levels, the DAST tools Iron Web application Advanced Security testing Platform (WASP) and Vega performed better than all the other tools. These findings reveal key insights, such as, the superiority of DAST tools for detecting certain types of vulnerabilities and the indispensability of SAST tools for detecting high-severity issues (due to detailed static code analysis). This study also addresses significant limitations in previous research by testing multiple real-world Web applications across diverse domains (technology, health, and education), enhancing generalization of the findings. Unlike studies that rely primarily on proprietary tools, our use of open-source SAST and DAST tools ensures better reproducibility and accessibility for organizations with limited budget.

The security of academic information systems needs consideration to anticipate various threats, resulting in data leakage, misuse of information, modification, and data destruction. There are 36 public and private universities that utilize the academic information system provided by the software developed by Company XYZ. Limited resources in universities contribute to the weak handling of vulnerabilities in academic information systems. The research aims to determine the vulnerability level of academic information systems developed by Company XYZ through penetration testing. The research employs a deductive approach to explore academic system vulnerabilities based on incidents related to system security issues at a university. The research utilizes a combination of two testing methods: Penetration Testing Execution Standard (PTES) and Open Web Application Security Project (OWASP), chosen for their reliability, ease of use, and support by penetration testing tools. Penetration testing follows the PTES, involving seven steps: pre-engagement interaction, information collection, threat modeling, vulnerability analysis, exploitation, postexploitation, and reporting. The threat focus in the research aligns with the top 10 of 2021 OWASP, ranking the ten most critical security risks. Results reveal eight critical security issues based on measurements using the Common Vulnerability Scoring System (CVSS) method. There are two high-level vulnerabilities, five medium-level vulnerabilities, and one low-level vulnerability. Moreover, the three principal vulnerabilities are Structured Query Language (SQL) Injection, broken access control, and weak encryption. Universities can enhance data integrity by independently remediating vulnerabilities discovered in the research. Furthermore, universities are encouraged to raise awareness within the academic community regarding the security of academic data.

An injection attack is a cyber-attack that is one of The Open Web Application Security Project Top 10 Vulnerabilities. These attacks take advantage of insufficient user input validation into the system through the input surface of a Web application as that user in the browser. The company’s cyber security team must filter thousands of attacks to prioritize which attacks are considered the most dangerous to be mitigated first. This activity of filtering thousands of attacks takes much time because you have to check these attacks one by one. Therefore, a method is needed to assess how dangerous a cyber-attack is that enters an organization’s or company’s server. Injection attack detection can be done by analyzing the request data in the web server log. Our research attempts to perform quantification modeling of the variations of two types of injection attacks, SQL Injection (SQLi) and Cross-Site Scripting (XSS), using Common Vulnerability Scoring System Metrics (CVSS). CVSS metrics are generally used to calculate the level of dangerous weakness in the system. This metric is never used to calculate the level of how dangerous an attack is. The modeling that we have made shows that SQLi and XSS attacks have many variations in levels ranging from low to high levels. We discovered that when classified with Common Weakness Enumeration Database, SQLi and XSS attacks CVE values would have high-level congruence with almost 94% value between one another vector on CVSS.

The article shows the trends of cybersecurity threats occurrence for web applications and the recommendations for security in organizations of Industry 4.0, based on reports study published by web security experts in the Open Web Application Security Project (OWASP), NIST (National Institute of Standards and Technology), and MITRE (The MITRE Corporation). The article presents the diversity and variability of security threats for web applications. The area of research involves the threat categories established in cybersecurity reports, as well as recently published data collected from monitoring of cyber-threats over the changes during the past twenty years by OWASP and NIST, and MITRE. The research goal of the article is to analyse frequency of security threats for web applications based on OWASP data published in years 2003–2017, and to obtain answers to three main research questions on the dynamics of variability of specific security threats for web applications security in Industry 4.0. The article presents the role and tasks of the OWASP foundation as a key example of organization dealing with security of web applications, and other selected organizations of this type operating in the world, i.e. NIST and MITRE. The frequency of occurrence of web application threats in years 2003–2017 was compared according to data published in OWASP reports. The unique threat to security of web applications that occurred only once in the analysed period, and those that are repetitive at different time periods was determined, as well as the latest threats that emerged in 2017 by OWASP, and the recommendations for organizations of Industry 4.0 were described. In order to obtain answers to research questions, an in-depth literature analysis based on book sources as well as legal acts and reports published on the Internet was used, and analysis of source data from OWASP, NIST, and MITRE reports was carried out. The results were interpreted based on vulnerability reports analysis and the recommendations for security management in next wave of developing Industry 4.0 were proposed.

-- OWASP (Open Web Application Security Project) version 4 issued by a non-profit organization called owasp.org which is dedicated to the security of web-based applications. This systematic review is intended to review whether the Open Web Application Security Project (OWASP) method is widely used to detect security in a website-based Information System. In this systematic review, we review 3 literature from several publisher sources and make a comparison regarding OWASP version 4 results and the security level of a web server from the publisher's source.Keywords— OWASP, Website Vulnerability, Website Security Detection

An efficient security data-driven approach for implementing risk assessment

A continuous challenge facing software penetration testers is ensuring adequate coverage of a target application. Many dynamic application security testing tools and manual pen-testing techniques test only part of the exposed code base, leaving much of the attack surface untested. A purely black box approach, used by most DAST tools, makes it almost impossible to accurately identify how much of the attack surface of an application was tested for penetration during assessment. Glass box testing techniques, as described in this paper, significantly improve the insight that penetration testers have into the coverage and makeup of the applications they are targeting. This paper reports on DHS-funded research which resulted in an innovative open source tool called Code Pulse that provides real-time code coverage for pen-testing Java web applications. Code Pulse leverages the Java instrumentation libraries to provide a real-time glass box perspective of method calls as they are exercised during security testing activities. While the concept of glass box testing is not new, Code Pulse delivers a novel real-time approach to the challenge while maintaining a tool-agnostic approach. In this paper we will outline the code coverage challenges facing penetration testers, describe the state-of-the-art in software assurance code coverage, the innovative aspects of our approach and its contribution to the state-of-the-art, the feedback we have received since releasing it as an Open Web Application Security Project (OWASP) pen-testing application in May 2014, and the planned improvements to Code Pulse.

The paper analyzes an approach to the analytical attack modeling and security assessment on the base of the Common Vulnerability Scoring System (CVSS) format, considering different modifications that appeared in the new version of the CVSS specification. The common approach to the analytical attack modeling and security assessment was suggested by the authors earlier. The paper outlines disadvantages of previous CVSS version that influenced negatively on the results of the attack modeling and security assessment. Differences between new and previous CVSS versions are analyzed. Modifications of the approach to the analytical attack modeling and security assessment that follow from the CVSS modifications are suggested. Advantages of the modified approach are described. Case study that illustrates enhanced approach is provided.

The delivery of a framework in place for secure application development is of real value for application development teams to integrate security into their development life cycle, especially when a mobile or web application moves past the scanning stage and focuses increasingly on the remediation or mitigation phase based on static application security testing (SAST). For the first time, to the author’s knowledge, the industry-standard Open Web Application Security Project (OWASP) top 10 vulnerabilities and CWE/SANS top 25 most dangerous software errors are synced up in a matrix with Checkmarx vulnerability queries, producing an application security framework that helps development teams review and address code vulnerabilities, minimise false positives discovered in static scans and penetration tests, targeting an increased accuracy of the findings. A case study is conducted for vulnerabilities scanning of a proof-of-concept mobile malware detection app. Mapping the OWASP/SANS with Checkmarx vulnerabilities queries, flaws and vulnerabilities are demonstrated to be mitigated with improved efficiency.

The attack surface of a system is the amount of application area that is exposed to the adversaries. The overall vulnerability can be reduced by reducing the attack surface of a web application. In this paper, we have considered the web components of two versions of an in-house developed project management web application and the attack surface has been calculated prior and post open web application security project (OWASP) compliance based on a security audit to determine and then compare the security of this Project Management Application. OWASP is an open community to provide free tools and guidelines for application security. It was observed that the attack surface of the software reduced by 45 per cent once it was made OWASP compliant. The vulnerable surface exposed by the code even after OWASP compliance was due to the mandatory access points left in the software to ensure accessibility over a network. Defence Science Journal, 2012, 62(5), pp.324-330 , DOI:http://dx.doi.org/10.14429/dsj.62.1291

Open Web Application Security Project 10 is a web application security testing framework method that focuses on web application security to find weaknesses in a website. The Open Web Application Security Project 10 aims to ensure the safety of websites in form checklists. Open Web Application Security Project 10 has the ten most dangerous types of website vulnerabilities such as injection, broken authentication, sensitive data exposure, Extensible Markup Language external entities, corrupted access control, security misconfiguration, cross-site scripting, unreliable deserialization, segment exploitation with known weaknesses, and lack of logging and checking. This paper analyzes and tests the security of the web along with six sub-domains with the aim of knowing and assessing the security level of a website, whether additional security is needed, and recommendations on the website. The results of this paper indicate that the web has a security level 80%, web informatics engineering subdomain 60%, information systems 60%, informatics management 60%, integrated academic system 80%, student acceptance 80% and e-learning 80%.

The security of technology, information and communication (ICT) is one of the tasks of government agencies X. The security of government ICT can be achieved by applying the principle of Security by Design. The Open Web Application Security Project (OWASP) publishes a list of potential vulnerability risks that are most common in web applications. Security tests can be carried out by performing a vulnerability assessment. The risk assessment is a series of measures to identify and analyze possible security gaps in the system of an organization or a company. Steps to look for vulnerabilities in the vulnerability assessment phase, starting with target discovery, scanning, results analysis, and reporting. The IAST approach (Interactive Application Security Testing) is used for security tests using a vulnerability assessment. When developing a vulnerability analysis system using the IAST approach, Jenkins tools, the ZAP-API, and SonarQube are used. The results of the vulnerability analysis are grouped based on the OWASP Top Ten 2017. Using the IAST approach, a total of 249 vulnerability risks were identified.

Analysis of Digital Library Server Security from Cybercrime Activities Using the Open Web Application Security Project Method at Bina Insan University Lubuklinggau, where this title was raised due to problems with the Bina Insan University Digital Library server security system which had been hacked by hackers so I am the thesis writer. feel the need to conduct research on the security of the Digital Library server at Bina Insan Lubuklinggau University to see security holes in the Digital Library server so that this security gap can later be closed and resolved so that cybercrime on the Digital Library server does not happen again. In analyzing the security of the Bina Insan University Digital Library server, I as a researcher use the Open Web Application Security Project method, where the Open Web Application Security Project method that I use is the Open Web Application Security Project Top 10 which is a guide that can be used to see weaknesses on the website server. which are easy to attack so with this guide we can also overcome the weaknesses that are owned by the website server itself so that it will be stronger to prevent cybercrime.

The widespread adoption of eCommerce, iBanking, and eGovernment institutions has resulted in an exponential rise in the use of web applications. Due to a large number of users, web applications have become a prime target of cybercriminals who want to steal Personally Identifiable Information (PII) and disrupt business activities. Hence, there is a dire need to audit the websites and ensure information security. In this regard, several web vulnerability scanners are employed for vulnerability assessment of web applications but attacks are still increasing day by day. Therefore, a considerable amount of research has been carried out to measure the effectiveness and limitations of the publicly available web scanners. It is identified that most of the publicly available scanners possess weaknesses and do not generate desired results. In this paper, the evaluation of publicly available web vulnerability scanners is performed against the top ten OWASP <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">1</sup> <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">1</sup> OWASP <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">®</sup> The Open Web Application Security Project (OWASP) is an online community that produces comprehensive articles, documentation, methodologies, and tools in the arena of web and mobile security. vulnerabilities and their performance is measured on the precision of their results. Based on these results, we proposed an Integrated Multi-Agent Blackbox Security Assessment Tool (SAT) for the security assessment of web applications. Research has proved that the vulnerabilities assessment results of the SAT are more extensive and accurate.

An empirical study of security warnings from static application security testing tools