Vulnerability testing in the development cycle

Alice Van Rensburg, Sebastiaan Von Solms

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Web applications have been the target of endless attacks which reach unprecedented levels every year. The root cause of such exposures are vulnerabilities found within web applications. Despite applying various mitigating measures, including security best-practises, more than 78% of scanned web applications contain several vulnerabilities yearly. Surveys done by specialists in this field, found that the effect of security best-practises in the Secure Software Development Life Cycle (S-SDLC) are situation dependent and suggest a comprehensive metrics program which performs ongoing measurement of the security posture of a web application, tracks progress over time and in so doing, serves as a guide for which of the SDLC-related activities should be effective. This paper extends the S-SDLC with an additional security measure namely: vulnerability testing in the implementation phase and introduces the prototype, "Vulnerability Test Network Prototype", hereafter referred to as VTNP, which implements the new security measure. The VTNP determines the security posture of a web application as early as possible in the implementation phase, specifically during the continuous build (CI) process, and does this continuously as the web application is enhanced and changed. In so doing, the VTNP provides the information for tracking and measuring the security posture of a web application and guides appropriate actions to be taken. This means that vulnerability testing is conducted during the construction of a web application, specifically after a change or enhancement is made to the web application. Discovering vulnerabilities in the development cycle, alerts developers of vulnerabilities whilst the web application is under construction, enables remediation of vulnerabilities before any software is released and prevents vulnerable code from being perpetuated. Linking vulnerability assessments to the code changes makes targeted remediation possible and provides a database of historic vulnerability assessments for tracking and monitoring progress, benefiting all involved parties, ranging from developers to security officers of the organisation.

Original languageEnglish
Title of host publicationProceedings of the 16th European Conference on Cyber Warfare and Security, ECCWS 2017
EditorsMark Scanlon, Nhien-An Le-Khac
PublisherCurran Associates Inc.
Pages505-512
Number of pages8
ISBN (Electronic)9781911218432
Publication statusPublished - 2017
Event16th European Conference on Cyber Warfare and Security, ECCWS 2017 - Dublin, Ireland
Duration: 29 Jun 201730 Jun 2017

Publication series

NameEuropean Conference on Information Warfare and Security, ECCWS
Volume0
ISSN (Print)2048-8602
ISSN (Electronic)2048-8610

Conference

Conference16th European Conference on Cyber Warfare and Security, ECCWS 2017
Country/TerritoryIreland
CityDublin
Period29/06/1730/06/17

Keywords

  • Development cycle
  • Metrics
  • S-SDLC
  • Security
  • Vulnerability
  • Web application

ASJC Scopus subject areas

  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Vulnerability testing in the development cycle'. Together they form a unique fingerprint.

Cite this