• Mi Re-Unir
    Búsqueda Avanzada
    JavaScript is disabled for your browser. Some features of this site may not work without it.
    Ver ítem 
    •   Inicio
    • RESULTADOS DE INVESTIGACIÓN
    • Artículos Científicos WOS y SCOPUS
    • Ver ítem
    •   Inicio
    • RESULTADOS DE INVESTIGACIÓN
    • Artículos Científicos WOS y SCOPUS
    • Ver ítem

    Hybrid Security Assessment Methodology for Web Applications

    Autor: 
    Correa, Roddy A.
    ;
    Bermejo Higuera, Juan Ramón (1)
    ;
    Bermejo-Higuera, Javier (1)
    ;
    Sicilia, Juan Antonio (1)
    ;
    Sánchez Rubio, Manuel (1)
    ;
    Magreñán, Á. Alberto
    Fecha: 
    2021
    Palabra clave: 
    web applications; security vulnerability; weakness; security analysis; white box; black box; interactive application security testing; static application security testing; dynamic application security testing; JCR; Scopus
    Tipo de Ítem: 
    Articulo Revista Indexada
    URI: 
    https://reunir.unir.net/handle/123456789/11242
    DOI: 
    https://doi.org/10.32604/cmes.2021.010700
    Dirección web: 
    https://www.techscience.com/CMES/v126n1/40863
    Open Access
    Resumen:
    This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications. The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box, to carry out the security validation of a web application in an agile and precise way. The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks. Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage, so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result. The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle (SSDLC). A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics. Dynamic analysis with manual checking is used to audit the results, 24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally. This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally. Dynamic analysis finds six (6) additional critical vulnerabilities. Access control analysis finds other five (5) important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks, two vulnerabilities that permit brute force attacks.
    Mostrar el registro completo del ítem
    Este ítem aparece en la(s) siguiente(s) colección(es)
    • Artículos Científicos WOS y SCOPUS

    Estadísticas de uso

    Año
    2012
    2013
    2014
    2015
    2016
    2017
    2018
    2019
    2020
    2021
    2022
    Vistas
    0
    0
    0
    0
    0
    0
    0
    0
    0
    54
    23
    Descargas
    0
    0
    0
    0
    0
    0
    0
    0
    0
    0
    0

    Ítems relacionados

    Mostrando ítems relacionados por Título, autor o materia.

    • MMALE a methodology for malware analysis in linux environments 

      de Vicente Mohino, José Javier (1); Bermejo-Higuera, Javier; Bermejo Higuera, Juan Ramón; Sicilia, Juan Antonio (1); Sánchez Rubio, Manuel (1); Martínez Herraiz, José-Javier (Computers, materials and continua, 2021)
      In a computer environment, an operating systemis prone to malware, and even the Linux operating system is not an exception. In recent years, malware has evolved, and attackers have becomemore qualified compared to a fewyears ...
    • Building a dataset through attack pattern modeling and analysis system 

      Bermejo Higuera, Juan Ramón (1); Bermejo-Higuera, Javier (1); Tébar García, Juan Luis (1); Sicilia, Juan Antonio (1); Sánchez Rubio, Manuel (1) (Elsevier Ltd, 2021)
      The different types of cyber-attacks on information and telecommunications systems are becoming increasingly sophisticated and complex, with several defined phases (attack pattern). Therefore, it is necessary to research ...
    • Combinatorial method with static analysis for source code security in web applications 

      Bermejo Higuera, Juan Ramón (1); Bermejo-Higuera, Javier (1); Sicilia, Juan Antonio (1); Sureda Riera, Tomás; Argyros, Christopher I.; Magreñán, Á. Alberto (1) (Tech Science Press, 2021)
      Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity. The construction of the procedure utilized in the static analysis tools of source code ...

    Mi cuenta

    AccederRegistrar

    ¿necesitas ayuda?

    Manual de UsuarioAutorización TFG-M

    Listar

    todo Re-UnirComunidades y coleccionesPor fecha de publicaciónAutoresTítulosPalabras claveTipo documentoTipo de accesoEsta colecciónPor fecha de publicaciónAutoresTítulosPalabras claveTipo documentoTipo de acceso






    Aviso Legal Política de Privacidad Política de Cookies Cláusulas legales RGPD
    © UNIR - Universidad Internacional de La Rioja
     
    Aviso Legal Política de Privacidad Política de Cookies Cláusulas legales RGPD
    © UNIR - Universidad Internacional de La Rioja