Assessing and Comparing Vulnerability Detection Tools for Web Services: Benchmarking Approach and Examples

IEEE Transactions on Services Computing

Volumn 8, Issue 2, 2015, Pages 269-283

  Antunes, Nuno ^a   Vieira, Marco ^a  

^a UNIVERSITY OF COIMBRA   (Portugal)

Author keywords

Benchmarking; penetration testing; runtime anomaly detection; static analysis; vulnerability detection

Indexed keywords

BENCHMARKING; CONCRETES; INSPECTION EQUIPMENT; SOCIAL NETWORKING (ONLINE); STATIC ANALYSIS; WEBSITES; WORLD WIDE WEB;

ANOMALY DETECTION; DETECTION APPROACH; FALSE POSITIVE RATES; PENETRATION TESTING; SECURITY-CRITICAL; STATE OF THE ART; VULNERABILITY DETECTION; WEB SERVICES ENVIRONMENT;

WEB SERVICES;

EID: 84927724623     PISSN: 19391374     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSC.2014.2310221     Document Type: Article

References (37)

1. G. Alonso, F. Casati, H. Kuno, and V. Machiraju, Web Services: Concepts, Architectures and Applications. first ed., Springer, 2010.
2. S. Christey and R.A. Martin, "Vulnerability Type Distributions in CVE," The MITRE Corporation. V1, 1 2007.
3. L. Lowis and R. Accorsi, "On a Classification Approach for SOA Vulnerabilities," Proc. 33rd Ann. IEEE Int'l Computer Software and Applications Conf. (COMPSAC '09), vol. 2, pp. 439-444, 2009.
4. M. Jensen, N. Gruschka, R. Herkenhoner, and N. Luttenberger, "SOA and Web Services: New Technologies, New Standards - New Attacks," Proc. Presented at the Fifth European Conf. Web Services (ECOWS '07), pp. 35-44, 2007.
5. M. Vieira, N. Antunes, and H. Madeira, "Using Web Security Scanners to Detect Vulnerabilities in Web Services," Proc. IEEE/IFIP Int'l Conf. Dependable Systems Networks (DSN '09), pp. 566-571, 2009.
6. TPC, "TPC Benchmark™ App (Application Server) Standard Specification, Version 1.3," http://www.tpc.org/tpc-app/, 2014.
7. W. Meier, "eXist: An Open Source Native XML Database," Proc. Revised Papers from the NODe 2002 Web and Database-Related Workshops Web, Web-Services, and Database Systems, pp. 169-183, 2003.
8. D. Stuttard and M. Pinto, The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. John Wiley & Sons, 2007.
9. N. Antunes and M. Vieira, "Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services," Proc. 15th IEEE Pacific Rim Int'l Symp. Dependable Computing (PRDC '09), pp. 301-306, 2009.
10. J. Fonseca, M. Vieira, and H. Madeira, "Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks," Proc. Presented at the 13th Pacific Rim Int'l Symp. Dependable Computing (PRDC '07), pp. 365-372, 2007.
11. Y. Eytani and S. Ur, "Compiling a Benchmark of Documented Multi-Threaded Bugs," Proc. 18th Int'l Parallel and Distributed Processing Symp., p. 266, 2004.
12. S. Lu, Z. Li, F. Qin, L. Tan, P. Zhou, and Y. Zhou, "Bugbench: Benchmarks for Evaluating Bug Detection Tools," Proc. Workshop the Evaluation of Software Defect Detection Tools, pp. 1-5, 2005.
13. V. Dallmeier and T. Zimmermann, "Extraction of Bug Localization Benchmarks from History," Proc. 22nd IEEE/ACM Int'l Conf. Automated Software Eng., pp. 433-436, 2007.
14. C.J. Van Rijsbergen, Information Retrieval. Buttersworth, 1979.
15. N. Antunes and M. Vieira, "Benchmarking Vulnerability Detection Tools for Web Services," Proc. IEEE Int'l Conf. Web Services (ICWS), pp. 203-210, 2010.
16. NTA Monitor, "Annual Web Application Security Report," 2008.
17. NTA Monitor, "Annual Security Report," May 2007.
18. NTA Monitor, "Annual Web Application Security Report," 2011.
19. V.B. Livshits and M.S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis," Proc. 14th Conf. USENIX Security Symp., vol. 14, pp. 18-18, 2005.
20. S. Wagner, J. Jürjens, C. Koller, and P. Trischberger, "Comparing Bug Finding Tools with Reviews and Tests," Proc. 17th IFIP TC6/WG6.1 Int'l Conf. Testing of Communicating Systems, pp. 40-55, 2005.
21. N. Antunes, N. Laranjeiro, M. Vieira, and H. Madeira, "Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services," Proc. IEEE Int'l Conf. Services Computing (SCC '09), pp. 260-267, 2009.
22. W.G.J. Halfond and A. Orso, "Preventing SQL Injection Attacks Using AMNESIA," Proc. 28th Int'l Conf. Software Eng., pp. 795-798, 2006.
23. J. Gray, The Benchmark Handbook. Morgan Kaufmann Publishers Inc, 1993.
24. K. Kanoun and L. Spainhower, Dependability Benchmarking for Computer Systems. John Wiley & Sons-IEEE CS Press, 2008.
25. M. Vieira and H. Madeira, "Towards a Security Benchmark for Database Management Systems," Proc. Int'l Conf. Dependable Systems and Networks (DSN '05), pp. 592-601, 2005.
26. A.C. d. Araújo Neto and M. Vieira, "Selecting Secure Web Applications Using Trustworthiness Benchmarking," Int'l J. Dependable and Trustworthy Information Systems, vol. 2, no. 2, pp. 1-16, 2011.
27. H. Do, S. Elbaum, and G. Rothermel, "Supporting Controlled Experimentation with Testing Techniques: An Infrastructure and its Potential Impact," Empirical Software Eng., vol. 10, no. 4, pp. 405-435, Oct. 2005.
28. A. Tajpour and M.J. zade Shooshtari, "Evaluation of SQL Injection Detection and Prevention Techniques," Proc. Second Int'l Conf. Computational Intelligence, Comm. Systems and Networks, pp. 216-221, 2010.
29. N. Antunes and M. Vieira, "Detecting SQL Injection Vulnerabilities in Web Services," Proc. Fourth Latin-Am. Symp. Dependable Computing (LADC '09), pp. 17-24, 2009.
30. F. Curbera, M. Duftler, R. Khalaf, W. Nagy, N. Mukhi, and S. Weerawarana, "Unraveling the Web services Web: An Introduction to SOAP, WSDL, and UDDI," IEEE Internet Computing, vol. 6, no. 2, pp. 86-93, Mar./Apr. 2002.
31. B. Arkin, S. Stender, and G. McGraw, "Software Penetration Testing," IEEE Security & Privacy, vol. 3, no. 1, pp. 84-87, Jan./Feb. 2005.
32. N. Ayewah, D. Hovemeyer, J.D. Morgenthaler, J. Penix, and W. Pugh, "Using Static Analysis to Find Bugs," IEEE Software, vol. 25, no. 5, pp. 22-29, Sept./Oct. 2008.
33. C. Kruegel and G. Vigna, "Anomaly Detection of Web-Based Attacks," Proc. 10th ACM Conf. Computer and Comm. Security, pp. 251-261, 2003.
34. Handbook of Software Reliability Engineering. M.R. Lyu, ed., McGraw-Hill, 1996.
35. Campwood Software, "SourceMonitor Version 2.5," http://www.campwoodsw.com/sourcemonitor.html, 2008.
36. N. Antunes and M. Vieira, "Benchmarks for Vulnerability Detection tools for Web Services," http://eden.dei.uc.pt/~nmsa/publications/vdbench-ws.zip, 2013.
37. N. Antunes and M. Vieira, "Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services," Proc. IEEE Int'l Conf. Services Computing (SCC), pp. 104-111, 2011.