Effort Estimates on Web Application Vulnerability Discovery
作者: Hannes Holm , Mathias Ekstedt , Teodor Sommestad
关键词: Software quality 、 Vulnerability 、 Data validation 、 Web application security 、 Application security 、 Computer security 、 White-box testing 、 The Internet 、 Computer science 、 Vulnerability management 、 Web application 、 Vulnerability (computing)
摘要: Web application vulnerabilities are widely considered a serious concern. However, there as of yet scarce data comparing the effectiveness different security countermeasures or detailing magnitude issues associated with web applications. This paper studies effort that is required by professional penetration tester to find an input validation vulnerability in enterprise has been developed presence absence four measures: (i) developer training, (ii) type-safe API's, (iii) black box testing tools, (iv) static code analyzers. The judgments 21 experts collected and combined using Cooke's classical method. results show 53 hours enough certainty 95% even though all measures have employed during development. If no measure 7 certainty.
computer.org
sommestad.com 参考文章(26)
Hannes Holm, Mathias Ekstedt, A Metamodel for Web Application Injection Attacks and Countermeasures practice driven research on enterprise transformation. pp. 198- 217 ,(2012) , 10.1007/978-3-642-34163-2_12
S. Tamer Cavusgil, Lisa A. Elvey‐Kirk, Mail survey response behavior: A conceptualization of motivating factors and an empirical study European Journal of Marketing. ,vol. 32, pp. 1165- 1192 ,(1998) , 10.1108/03090569810243776
Harold Kerzner, Project management : a systems approach to planning, scheduling, and controlling ,(1995)
Andy Ozment, Improving vulnerability discovery models Proceedings of the 2007 ACM workshop on Quality of protection - QoP '07. pp. 6- 11 ,(2007) , 10.1145/1314257.1314261
Teodor Sommestad, Hannes Holm, Mathias Ekstedt, Effort Estimates for Vulnerability Discovery Projects hawaii international conference on system sciences. pp. 5564- 5573 ,(2012) , 10.1109/HICSS.2012.238
Theodoor Scholte, William Robertson, Davide Balzarotti, Engin Kirda, An empirical analysis of input validation mechanisms in web applications and languages acm symposium on applied computing. pp. 1419- 1426 ,(2012) , 10.1145/2245276.2232004
Bart De Win, Riccardo Scandariato, Koen Buyens, Johan Grégoire, Wouter Joosen, On the secure software development process: CLASP, SDL and Touchpoints compared Information & Software Technology. ,vol. 51, pp. 1152- 1171 ,(2009) , 10.1016/J.INFSOF.2008.01.010
Robert T. Clemen, Robert L. Winkler, Combining Probability Distributions From Experts in Risk Analysis Risk Analysis. ,vol. 19, pp. 187- 203 ,(1999) , 10.1023/A:1006917509560
Roger M. Cooke, Louis L.H.J. Goossens, TU Delft expert judgment data base Reliability Engineering & System Safety. ,vol. 93, pp. 657- 674 ,(2008) , 10.1016/J.RESS.2007.03.005
Ivano Alessandro Elia, Jose Fonseca, Marco Vieira, Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study international symposium on software reliability engineering. pp. 289- 298 ,(2010) , 10.1109/ISSRE.2010.32