CFP last date
20 January 2025
Reseach Article

Application of T-SEC to Measure the Performance of Static Analyzers and Penetration Testing Approaches

by Akwasi Amponsah, Richard Amankwah, Daniel PaaKorsah
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 183 - Number 29
Year of Publication: 2021
Authors: Akwasi Amponsah, Richard Amankwah, Daniel PaaKorsah
10.5120/ijca2021921677

Akwasi Amponsah, Richard Amankwah, Daniel PaaKorsah . Application of T-SEC to Measure the Performance of Static Analyzers and Penetration Testing Approaches. International Journal of Computer Applications. 183, 29 ( Oct 2021), 33-36. DOI=10.5120/ijca2021921677

@article{ 10.5120/ijca2021921677,
author = { Akwasi Amponsah, Richard Amankwah, Daniel PaaKorsah },
title = { Application of T-SEC to Measure the Performance of Static Analyzers and Penetration Testing Approaches },
journal = { International Journal of Computer Applications },
issue_date = { Oct 2021 },
volume = { 183 },
number = { 29 },
month = { Oct },
year = { 2021 },
issn = { 0975-8887 },
pages = { 33-36 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume183/number29/32115-2021921677/ },
doi = { 10.5120/ijca2021921677 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-07T01:18:14.605197+05:30
%A Akwasi Amponsah
%A Richard Amankwah
%A Daniel PaaKorsah
%T Application of T-SEC to Measure the Performance of Static Analyzers and Penetration Testing Approaches
%J International Journal of Computer Applications
%@ 0975-8887
%V 183
%N 29
%P 33-36
%D 2021
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Software vulnerability analysis is very relevant in the process of investigating the existence of bugs (referred to as vulnerabilities) in software application. Recently, several empirical studies such as static code analyzers (SCA) and penetration testing approaches such as web vulnerability scanners (WVS) have been purported to aid the analysis of vulnerabilities in web applications. Although, there are several SCA and penetration testing tools (both open and commercial source) proposed in literature, the performance of these tools varies and make vendors skeptical in relation to the one most suited for detecting a particular type of vulnerability or bug, have a high precision and recall value, a low false positive and a high detection rate.In this study, we applied the standard evaluation criteria (T-SEC), namely precision and recall, Youden index, OWASP web benchmark evaluation (WBE) and the web application security scanner evaluation criteria (WASSEC) to measure the performance of the aforementioned approaches using the Damn Vulnerable Web Application (DVWA) and extracted report from the Juliet Test Suite.

References
  1. N. Antunes and M. Vieira, "Benchmarking vulnerability detection tools for web services," in 2010 IEEE International Conference on Web Services, 2010, pp. 203-210.
  2. C. L. Blackmon, D. F. Sang, and C.-S. Peng, "Performance Evaluation of Automated Static Analysis Tools," GSTF Journal on Computing (JoC), vol. 2, 2014.
  3. Y.-H. Tung, S.-S. Tseng, J.-F. Shih, and H.-L. Shan, "A cost-effective approach to evaluating security vulnerability scanner," in 2013 15th Asia-Pacific Network Operations and Management Symposium (APNOMS), 2013, pp. 1-3.
  4. Y. Makino and V. Klyuev, "Evaluation of web vulnerability scanners," in 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015, pp. 399-402.
  5. E. Goubault and S. Putot, "Static analysis of finite precision computations," in International Workshop on Verification, Model Checking, and Abstract Interpretation, 2011, pp. 232-247.
  6. N. Ayewah, W. Pugh, D. Hovemeyer, J. D. Morgenthaler, and J. Penix, "Using static analysis to find bugs," IEEE software, vol. 25, pp. 22-29, 2008.
  7. W. J. Youden, "Index for rating diagnostic tests," Cancer, vol. 3, pp. 32-35, 1950.
  8. W. A. S. Consortium, "Web application security scanner evaluation criteria WASSEC," ed, 2016.
  9. "OWASPBenchmarkProject. https://www.owasp.org/index.php/Benchmark (visited 2016-06-2).", ed, 2016.
  10. P. E. Black, "Samate and evaluating static analysis tools," Ada User Journal, vol. 28, pp. 184-188, 2007.
  11. Y. Makino and V. Klyuev, "Evaluation of web vulnerability scanners," in Proceedings of the 8th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015, 2015, pp. 399-402.
  12. R. Amankwah, P. K. Kudjo, B. K. Agyman, K. Mensah, B. Brew, and S. Y. Antwi, "A Theoretical Framework for Software Vulnerability Detection based on Cascaded Refinement Network," International Journal of Computer Applications, vol. 975, p. 8887.
  13. N. Ayewah, W. Pugh, J. D. Morgenthaler, J. Penix, and Y. Zhou, "Evaluating static analysis defect warnings on production software," in Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, 2007, pp. 1-8.
  14. N. Rutar, C. B. Almazan, and J. S. Foster, "A comparison of bug finding tools for Java," in null, 2004, pp. 245-256.
  15. H. H. AlBreiki and Q. H. Mahmoud, "Evaluation of static analysis tools for software security," in Proceedings of 2014 10th International Conference on Innovations in Information Technology (INNOVATIONS), , 2014, pp. 93-98.
  16. C. Artho, "Finding faults in multi-threaded programs," ed, 2001.
  17. J. C. Corbett, M. B. Dwyer, J. Hatcliff, S. Laubach, C. S. Pasareanu, and H. Zheng, "Bandera: Extracting finite-state models from Java source code," in Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium, 2000, pp. 439-448.
  18. C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata, "Extended static checking for Java," ACM Sigplan Notices, vol. 37, pp. 234-245, 2002.
  19. T. P. Chiem, "A study of penetration testing tools and approaches," Auckland University of Technology, 2014.
  20. C. Mainka, J. Somorovsky, and J. Schwenk, "Penetration testing tool for web services security," in 2012 IEEE Eighth World Congress on Services, 2012, pp. 163-170.
  21. N. Antunes and M. Vieira, "Penetration testing for web services," Computer, vol. 47, pp. 30-36, 2013.
  22. H. M. Z. Al Shebli and B. D. Beheshti, "A study on penetration testing process and tools," in 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT), 2018, pp. 1-7.
  23. R. Amankwah, J. Chen, P. K. Kudjo, and D. Towey, "An empirical comparison of commercial and open‐source web vulnerability scanners," Software: Practice and Experience, vol. 50, pp. 1842-1857, 2020.
Index Terms

Computer Science
Information Sciences

Keywords

Open-source scanner Vulnerability detection Vulnerability scanner damn vulnerable web application