Open Access
ARTICLE
Hybrid Security Assessment Methodology for Web Applications
Roddy A. Correa1, Juan Ramón Bermejo Higuera2, Javier Bermejo Higuera2, Juan Antonio Sicilia Montalvo2, Manuel Sánchez Rubio2, Á. Alberto Magreñán3,*
1 Universidad Técnica Particular de Loja, San Cayetano Alto, Loja, Ecuador
2 Escuela Superior de Ingeniería y Tecnología, Universidad Internacional de La Rioja, Logroño, 26006, Spain
3 Universidad de la Rioja, Logroño, 26006, Spain
* Corresponding Author: Á. Alberto Magreñán. Email:
Computer Modeling in Engineering & Sciences 2021, 126(1), 89-124. https://doi.org/10.32604/cmes.2021.010700
Received 21 March 2020; Accepted 23 June 2020; Issue published 22 December 2020
Abstract
This study presents a methodology to evaluate and prevent security
vulnerabilities issues for web applications. The analysis process is based on
the use of techniques and tools that allow to perform security assessments
of white box and black box, to carry out the security validation of a web
application in an agile and precise way. The objective of the methodology is to
take advantage of the synergies of semi-automatic static and dynamic security
analysis tools and manual checks. Each one of the phases contemplated in
the methodology is supported by security analysis tools of different degrees
of coverage, so that the results generated in one phase are used as feed for the
following phases in order to get an optimized global security analysis result.
The methodology can be used as part of other more general methodologies
that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle
(SSDLC). A practical application of the methodology to analyze the security
of a real web application demonstrates its effectiveness by obtaining a better
optimized vulnerability detection result against the true and false positive
metrics. Dynamic analysis with manual checking is used to audit the results,
24.6 per cent of security vulnerabilities reported by the static analysis has been
checked and it allows to study which vulnerabilities can be directly exploited
externally. This phase is very important because it permits that each reported
vulnerability can be checked by a dynamic second tool to confirm whether
a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally. Dynamic analysis finds six (6)
additional critical vulnerabilities. Access control analysis finds other five (5)
important vulnerabilities such as Insufficient Protected Passwords or Weak
Password Policy and Excessive Authentication Attacks, two vulnerabilities
that permit brute force attacks.
Keywords
Cite This Article
Correa, R. A., Ramón, J., Higuera, J. B., Antonio, J., Rubio, M. S. et al. (2021). Hybrid Security Assessment Methodology for Web Applications.
CMES-Computer Modeling in Engineering & Sciences, 126(1), 89–124. https://doi.org/10.32604/cmes.2021.010700