Abstract

Software security vulnerability is a flaw in a software product that could compromise the integrity, availability, or confidentiality of a software system. The growth and development of software have brought about a corresponding increase in vulnerabilities, which has necessitated the need to develop software security assurance tool that can detect and prevent these vulnerabilities. Previous studies have suggested both commercial and open source tools such as Ashcan, Web Inspect, Web King, Skipfish, and OWASP ZAP just to mention but a few to help mitigate against this security gaps. However, each of this approach has its merits and demerits in detecting vulnerabilities. As a result, this paper seeks to develop a more proactive approach which is a merger or integration of the strength of existing techniques into one system: An integrated web vulnerability detector scanner: which is a software assurance tool for detecting vulnerabilities in web application. The analysis involves presenting a general overview of web application, web application scanners and web application vulnerabilities. Lastly, we present the theoretical framework for detecting web application vulnerabilities based on the proposed model. The preliminary findings show that the concept is feasible within the domain of vulnerability detection

References

• S. Patil, N. Marathe, and P. Padiya, "Design of efficient web vulnerability scanner," in Inventive Computation Technologies (ICICT), International Conference on, 2016, pp. 1-6.
• O. Alhazmi, Y. Malaiya, and I. Ray, "Security vulnerabilities in software systems: A quantitative perspective," in IFIP Annual Conference on Data and Applications Security and Privacy, 2005, pp. 281-294.
• P. Baral, "Web application scanners: a review of related articles [Essay]," IEEE Potentials, vol. 30, pp. 10-14, 2011.
• M. Vieira, N. Antunes, and H. Madeira, "Using web security scanners to detect vulnerabilities in web services," in Dependable Systems & Networks, 2009. DSN'09. IEEE/IFIP International Conference on, 2009, pp. 566-571.
• N. Antunes and M. Vieira, "Detecting SQL injection vulnerabilities in web services," in Dependable Computing, 2009. LADC'09. Fourth Latin-American Symposium on, 2009, pp. 17-24.
• D. D. Neal and S. S. Rahman, "Securing Systems after Deployment," in Advances in Computer Science, Engineering & Applications, ed: Springer, 2012, pp. 685-693.
• N. Jovanovic, C. Kruegel, and E. Kirda, "Static analysis for detecting taint-style vulnerabilities in web applications," Journal of Computer Security, vol. 18, pp. 861-907, 2010.
• S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "Secubat: a web vulnerability scanner," in Proceedings of the 15th international conference on World Wide Web, 2006, pp. 247-256.
• Y. Makino and V. Klyuev, "Evaluation of web vulnerability scanners," in Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015 IEEE 8th International Conference on, 2015, pp. 399-402.
• W. G. Halfond and A. Orso, "Preventing SQL injection attacks using AMNESIA," in Proceedings of the 28th international conference on Software engineering, 2006, pp. 795-798.
• A. Dessiatnikoff, R. Akrout, E. Alata, M. Kaâniche, and V. Nicomette, "A clustering approach for web vulnerabilities detection," in Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on, 2011, pp. 194-203.
• E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, "Noxes: a client-side solution for mitigating cross-site scripting attacks," in Proceedings of the 2006 ACM symposium on Applied computing, 2006, pp. 330-337.
• T. Jim, N. Swamy, and M. Hicks, "Defeating script injection attacks with browser-enforced embedded policies," in Proceedings of the 16th international conference on World Wide Web, 2007, pp. 601-610.
• C. Rajesh, K. Srikanth, I. Sarwani, and G. S. Rao, "A Brief Study on Defining Templates to Avoid XSS Vulnerabilities Using Auto Escape Templates for Web Applications," IJCSIT) International Journal of Computer Science and Information Technologies, vol. 6, 2015.
• V. Shanmughaneethi, R. Ravichandran, and S. Swamynathan, "PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications," International Journal on Web Service Computing, vol. 2, p. 57, 2011.
• D. Mitropoulos, V. Karakoidas, and D. Spinellis, "Fortifying Applications Against Xpath Injection Attacks," MCIS, vol. 2009, p. 4th, 2009.
• E. Fong and V. Okun, "Web application scanners: definitions and functions," in System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, 2007, pp. 280b-280b.
• F. Elizabeth and O. Vadim, "Web application scanners: Definitions and functions," HICSS 2007, pp. 280b-280b, 2007.
• C. Ghezzi, M. Jazayeri, and D. Mandrioli, Fundamentals of software engineering: Prentice Hall PTR, 2002.
• M. Sutton, A. Greene, and P. Amini, Fuzzing: brute force vulnerability discovery: Pearson Education, 2007.
• E. F. R. G. V. Okun, P. E. Black, and E. Dalci, "Building a Test Suite for Web Application Scanners."
• O. Hamed and N. Kafri, "Performance Prediction of Web Based Application Architectures Case Study: .NET vs. Java EE," International Journal of Web Applications, vol. 1, 2009.
• J. C. Fonseca, M. Vieira, and H. Madeira, "Correlating security vulnerabilities with software faults," 2007.
• H. Le and P. Loh, "Unified approach to vulnerability analysis of web applications," in AIP Conference Proceedings, 2008, pp. 155-159.
• P. E. Black and E. Fong, "Proceedings of Defining the State of the Art in Software Security Tools Workshop," NIST Special Publication, vol. 500, p. 264, 2005.
• S. Panguluri, W. Phillips, and P. Ellis, "Cyber security: protecting water and wastewater infrastructure," in Handbook of water and wastewater systems protection, ed: Springer, 2011, pp. 285-318.
• A. J. Evans, "Software Security Quality: Testing Taxonomy and Testing Tools Classification," Presentation viewgraph for OWASP APPSec DC, 2005.
• A. Makkar and K. Jain, "
• Web application in healthcare: a solution to address the security issues," International Journal Of Management & Behavioural Sciences (IJMBS).
• A. Singh and S. Sathappan, "A Survey on XSS web-attack and Defense Mechanisms," International Journal of Advanced Research in Computer Science and Software Engineering, vol. 4, pp. 1160-1164, 2014.
• A. Tajpour, S. Ibrahim, and M. Sharifi, "Web application security by sql injection detectiontools," IJCSI International Journal of Computer Science Issues, vol. 9, pp. 332-339, 2012.