Abstract
The delivery of a framework in place for secure application development is of real value for application development teams to integrate security into their development life cycle, especially when a mobile or web application moves past the scanning stage and focuses increasingly on the remediation or mitigation phase based on static application security testing (SAST). For the first time, to the author’s knowledge, the industry-standard Open Web Application Security Project (OWASP) top 10 vulnerabilities and CWE/SANS top 25 most dangerous software errors are synced up in a matrix with Checkmarx vulnerability queries, producing an application security framework that helps development teams review and address code vulnerabilities, minimise false positives discovered in static scans and penetration tests, targeting an increased accuracy of the findings. A case study is conducted for vulnerabilities scanning of a proof-of-concept mobile malware detection app. Mapping the OWASP/SANS with Checkmarx vulnerabilities queries, flaws and vulnerabilities are demonstrated to be mitigated with improved efficiency.
Highlights
With the prevalence of Internet of Things devices [1] and unprecedented flows of data [2] in theThe amount of downloaded mobile applications is constantly on the increase meaning that mobile phones are increasingly vulnerable to malware and other malicious code [10]
By carefully investigating file locations that reported by the Checkmarx vulnerability queries, we observe that 90% of the issues originate from the externally developed libraries used in the python framework (Flask and TensorFlow), which are considered out of scope and filtered for a rescan
Checkmarx vulnerability queries are mapped with the proposed matrix of Open Web Application Security Project (OWASP) Top 10 and SANS Common Weakness Enumeration (CWE) in Table 5, producing a state-of-the-art vulnerabilities matrix guiding application development teams and application security consultants for code remediation
Summary
With the prevalence of Internet of Things devices [1] and unprecedented flows of data [2] in the. Jinfeng Li, “Vulnerabilities Mapping based on OWASP-SANS: A Survey for Static Application Security Testing (SAST)”, Annals of Emerging Technologies in Computing (AETiC), Print ISSN: 2516-0281, Online ISSN: 2516-029X, pp. A customisable anti-malware application is developed in this work which scans APK code files from all other downloaded applications and uses machine learning algorithms to identify potentially malicious code, providing an advert-free experience with only necessary notifications. A survey on OWASP risk rating methodology is presented, followed by the code vulnerabilities mapping into a novel matrix of OWASP Top 10 and SANS top 25 in Section 4 for optimising the checkmark based SAST.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
