No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System
... We studied IAST and RASP tools in terms of effectiveness and efficiency and compared our findings with the four techniques and tools used in the Elder et al. study (Seth 2022). We performed our analysis based on the quantity and type of vulnerabilities detected by the IAST tools and the quantity and type of vulnerabilities prevented by the RASP tools to assess the effectiveness of the tools. ...
Context
Security resources are scarce, and practitioners can benefit from guidance in the effective and efficient usage of tools and techniques to detect and prevent the exploitation of software vulnerabilities. Interactive Application Security Testing (IAST) is a vulnerability detection tool that combines static and dynamic testing using sensor modules and agents. Runtime Application Self-Protection (RASP) tools monitor an application’s behavior and block attempts to exploit existing vulnerabilities in a running application. IAST and RASP have not often been compared to well-established counterparts, such as Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and penetration testing, particularly in the context of a large system.
Objective
The goal of this research is to aid practitioners in making informed choices about the use of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools through an analysis of their effectiveness and efficiency in comparison with other vulnerability detection and exploit prevention techniques and tools.
Methods
We apply IAST and RASP on OpenMRS, an open-source Java-based online medical records web application. We compare the efficiency and effectiveness of IAST and RASP with techniques applied on OpenMRS in prior work: Systematic (SMPT) and Exploratory (EMPT) Manual Penetration Testing techniques and SAST and DAST tools. We measure efficiency and effectiveness in terms of the number and type of vulnerabilities detected and prevented per hour.
Results
In the context of a large, enterprise-scale web application, our study shows that IAST performed second best in both efficiency and effectiveness. IAST’s efficiency (2.14 Vulnerabilities per Hour (Vph)) is second to EMPT’s (2.22 VpH). IAST found 91 (8%) unique vulnerabilities not found by other tools and techniques, with SAST finding 823 (71%) unique vulnerabilities. Regarding effectiveness, IAST detected 8 of the Top-10 OWASP web application security risks, compared to 9 by SMPT and 7 by EMPT, DAST, and SAST. Our results indicate that RASP only prevents Injection attacks in OpenMRS.
Conclusion
IAST is an efficient and effective tool that complements other vulnerability detection tools and techniques. RASP does not replace vulnerability detection but can prevent the exploitation of existing injection vulnerabilities in a running application.
... Reviewing several application security tools reveals beneficial information about their usefulness, effectiveness, and suitability for improved software application security [38]. Despite their crucial function in quickly identifying vulnerabilities, SAST tools have specific limitations. ...
Cybersecurity is crucial in today's era of advanced technology, rapidly developing scientific understanding, and a completely interconnected global society to guarantee high safety in all aspects of life. Furthermore, there is an ever-increasing number of difficulties and dangers to achieving security in cyberspace. One of the most basic and essential ways to avoid cybersecurity is to conduct security testing for vulnerabilities. In order to make the most of the potential synergies between various types of analysis tools, this paper combines static white box security analysis (SAST), dynamic black box security analysis (DAST), and interactive white box security analysis (IAST) in that order. This investigation aims to improve security vulnerability detection while decreasing false positives.
... A comparative analysis of application security tools, including static application security testing (SAST), dynamic application security testing (DAST), and runtime application self-protection technologies (RASP), provides insightful conclusions about their effectiveness, utility, and applicability for improving software application security [19]. ...
... Its utility has expanded to encompass business API security through feature matching, policy rules, parameter validation, and compliance assessments [39]. However, it is essential to recognize that WAF fundamentally functions as a traffic and content inspector, primarily focusing on input requests and employing rudimentary pattern matching to detect potentially malicious activities [40]. Regrettably, its protective efficacy often experiences limitations in terms of precision and fails to fully address the intricate business security scenarios elucidated above. ...
In the evolving landscape of complex business ecosystems and their digital platforms, an increasing number of business Application Programming Interfaces (APIs) are encountering challenges in ensuring optimal authorization control. This challenge arises due to factors such as programming errors, improper configurations, and sub-optimal business processes. While security departments have exhibited proficiency in identifying vulnerabilities and mitigating certain viral or adversarial incursions, the safeguarding of comprehensive business processes remains an intricate task. This paper introduces a novel paradigm, denoted as the Low-Intervention Security Embedding Architecture (LiSEA), which empowers business applications to enhance the security of their processes through judicious intervention within business APIs. By strategically incorporating pre- and post-intervention checkpoints, we devise a finely grained access control model that meticulously assesses both the intent of incoming business requests and the outcomes of corresponding responses. Importantly, these advancements are seamlessly integrated into the existing business codebase. Our implementation demonstrates the effectiveness of LiSEA, as it adeptly addresses eight out of the ten critical vulnerabilities enumerated in the OWASP API Security Top 10. Notably, when the number of threads is less than 200, LiSEA brings less than 20 msec of latency to the business process, which is significantly less than the microservice security agent based on the API gateway.
Keamanan informasi adalah praktik melindungi informasi dari ancaman
yang dapat merusak integritas, kerahasiaan, dan ketersediaannya.
Keamanan informasi bertujuan untuk menjaga agar data tetap aman dari
akses, penggunaan, pengungkapan, perusakan, atau perubahan yang tidak
sah. Keamanan informasi mencakup kebijakan, prosedur, dan teknologi
yang digunakan untuk melindungi data baik dalam bentuk elektronik,
fisik, maupun lainnya.
Buku ini membahas :
Bab 1 Pengantar Keamanan Informasi
Bab 2 Prinsip-prinsip Keamanan Informasi
Bab 3 Pengamanan Jaringan
Bab 4 Perlindungan Data
Bab 5 Jenis-jenis Serangan Siber
Bab 6 Kebijakan Keamanan
Bab 7 Analisis Ancaman
Bab 8 Pengamanan Aplikasi (Application Security)
Bab 9 Keamanan Internet of Things (IoT)
Bab 10 Pengujian Keamanan dan Evaluasi
ResearchGate has not been able to resolve any references for this publication.