Name
Abstract | ||
|---|---|---|
Web application vulnerabilities are widely considered a serious concern. However, there are as of yet scarce data comparing the effectiveness of different security countermeasures or detailing the magnitude of the security issues associated with web applications. This paper studies the effort that is required by a professional penetration tester to find an input validation vulnerability in an enterprise web application that has been developed in the presence or absence of four security measures: (i) developer web application security training, (ii) type-safe API's, (iii) black box testing tools, or (iv) static code analyzers. The judgments of 21 experts are collected and combined using Cooke's classical method. The results show that 53 hours is enough to find a vulnerability with a certainty of 95% even though all measures have been employed during development. If no measure is employed 7 hours is enough to find a vulnerability with 95% certainty. |
Year | DOI | Venue |
|---|---|---|
2013 | 10.1109/HICSS.2013.190 | HICSS |
Keywords | Field | DocType |
classical method,developer web application security,security measure,enterprise web application,black box testing tool,web application vulnerability discovery,security issue,effort estimates,input validation vulnerability,different security countermeasures,web application vulnerability,web application,internet,computer and information science,software reliability,computer literacy | Data validation,Vulnerability (computing),Application security,Computer security,Computer science,White-box testing,Vulnerability management,Web application security,Web application,Vulnerability | Conference |
ISSN | ISBN | Citations |
1530-1605 E-ISBN : 978-0-7695-4892-0 | 978-0-7695-4892-0 | 3 |
PageRank | References | Authors |
0.42 | 15 | 3 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Hannes Holm | 1 | 191 | 14.59 |
| Mathias Ekstedt | 2 | 634 | 49.70 |
| Teodor Sommestad | 3 | 292 | 23.72 |