TY - GEN
T1 - Vulnerability testing in the development cycle
AU - Van Rensburg, Alice
AU - Von Solms, Sebastiaan
PY - 2017
Y1 - 2017
N2 - Web applications have been the target of endless attacks which reach unprecedented levels every year. The root cause of such exposures are vulnerabilities found within web applications. Despite applying various mitigating measures, including security best-practises, more than 78% of scanned web applications contain several vulnerabilities yearly. Surveys done by specialists in this field, found that the effect of security best-practises in the Secure Software Development Life Cycle (S-SDLC) are situation dependent and suggest a comprehensive metrics program which performs ongoing measurement of the security posture of a web application, tracks progress over time and in so doing, serves as a guide for which of the SDLC-related activities should be effective. This paper extends the S-SDLC with an additional security measure namely: vulnerability testing in the implementation phase and introduces the prototype, "Vulnerability Test Network Prototype", hereafter referred to as VTNP, which implements the new security measure. The VTNP determines the security posture of a web application as early as possible in the implementation phase, specifically during the continuous build (CI) process, and does this continuously as the web application is enhanced and changed. In so doing, the VTNP provides the information for tracking and measuring the security posture of a web application and guides appropriate actions to be taken. This means that vulnerability testing is conducted during the construction of a web application, specifically after a change or enhancement is made to the web application. Discovering vulnerabilities in the development cycle, alerts developers of vulnerabilities whilst the web application is under construction, enables remediation of vulnerabilities before any software is released and prevents vulnerable code from being perpetuated. Linking vulnerability assessments to the code changes makes targeted remediation possible and provides a database of historic vulnerability assessments for tracking and monitoring progress, benefiting all involved parties, ranging from developers to security officers of the organisation.
AB - Web applications have been the target of endless attacks which reach unprecedented levels every year. The root cause of such exposures are vulnerabilities found within web applications. Despite applying various mitigating measures, including security best-practises, more than 78% of scanned web applications contain several vulnerabilities yearly. Surveys done by specialists in this field, found that the effect of security best-practises in the Secure Software Development Life Cycle (S-SDLC) are situation dependent and suggest a comprehensive metrics program which performs ongoing measurement of the security posture of a web application, tracks progress over time and in so doing, serves as a guide for which of the SDLC-related activities should be effective. This paper extends the S-SDLC with an additional security measure namely: vulnerability testing in the implementation phase and introduces the prototype, "Vulnerability Test Network Prototype", hereafter referred to as VTNP, which implements the new security measure. The VTNP determines the security posture of a web application as early as possible in the implementation phase, specifically during the continuous build (CI) process, and does this continuously as the web application is enhanced and changed. In so doing, the VTNP provides the information for tracking and measuring the security posture of a web application and guides appropriate actions to be taken. This means that vulnerability testing is conducted during the construction of a web application, specifically after a change or enhancement is made to the web application. Discovering vulnerabilities in the development cycle, alerts developers of vulnerabilities whilst the web application is under construction, enables remediation of vulnerabilities before any software is released and prevents vulnerable code from being perpetuated. Linking vulnerability assessments to the code changes makes targeted remediation possible and provides a database of historic vulnerability assessments for tracking and monitoring progress, benefiting all involved parties, ranging from developers to security officers of the organisation.
KW - Development cycle
KW - Metrics
KW - S-SDLC
KW - Security
KW - Vulnerability
KW - Web application
UR - http://www.scopus.com/inward/record.url?scp=85028021084&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85028021084
T3 - European Conference on Information Warfare and Security, ECCWS
SP - 505
EP - 512
BT - Proceedings of the 16th European Conference on Cyber Warfare and Security, ECCWS 2017
A2 - Scanlon, Mark
A2 - Le-Khac, Nhien-An
PB - Curran Associates Inc.
T2 - 16th European Conference on Cyber Warfare and Security, ECCWS 2017
Y2 - 29 June 2017 through 30 June 2017
ER -