As part of a continuing research for evaluating threats posed for exposed attack surface, this study will provide a consolidated view of exploitability of vulnerable applications presenting a web attack surface of an organization exposed to an attacker. While testing and scanning technologies like Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), Application Ethical Hack (Penetration Testing), a monitoring technology like the Web Application Firewall (WAF) provides web traffic information of the number of transaction requests for every application under study. To ensure validity, reliability, and completeness of observation multiple applications must be observed. Research from a prior study is referenced that shows correlation between incoming WAF requests and existing vulnerabilities. Using correlation analysis, vulnerabilities metrics, and a threat model analysis help identify pathways to an attack. A vulnerability map-based attack tree can be developed using Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) information. The threat model analysis and vulnerability-based attack tree can help in simulation studies of possible attacks. This attack tree will show the linkages between vulnerabilities and a lineage pointing to how an attack could travel from the incoming WAF requests to deep down into the application code of exposed and existing, open vulnerabilities travelling laterally to create a more expanded attack crossing trust boundaries using application data flow.
| Published in | American Journal of Software Engineering and Applications (Volume 12, Issue 1) |
| DOI | 10.11648/j.ajsea.20241201.12 |
| Page(s) | 5-13 |
| Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
| Copyright |
Copyright © The Author(s), 2024. Published by Science Publishing Group |
Application Security, Vulnerability Metrics, Correlation Analysis, Threat Model, Vulnerability Map, Attack Tree, Simulation Study, Remediation Prioritization
| [1] | Veracode. State Of Software Security Vol. 11. Veracode, state-of-software-security-volume-11-veracode-report.pdf |
| [2] | Checkmarx. Correlation: The Application Security Testing Imperative in Modern Application Development”, Checkmarx, https://www.forrester.com/report/the-forrester-wave-software-composition-analysis-q3-2021/RES176091?ref_search=3502061_1674835391293&utm_source=PANTHEON_STRIPPED&utm_medium=email&utm_campaign=summit21na&utm_content=blog&categoryid=a89c0000000AKp1AAG%3Futm_source%3DPANTHEON_STRIPPED |
| [3] | Carielli, S., DeMartine, A., Provost, A.C. and Dostie, P. The Forrester Wave™: Software Composition Analysis, Q3 2021-The 10 Providers That Matter Most And How They Stack Up. Forrester, August, https://www.forrester.com/report/the-forrester-wave-software-composition-analysis-q3-2021/RES176091?ref_search=3502061_1674835391293&utm_source=PANTHEON_STRIPPED&utm_medium=email&utm_campaign=summit21na&utm_content=blog&categoryid=a89c0000000AKp1AAG%3Futm_source%3DPANTHEON_STRIPPED |
| [4] | Primeon. Enterprise Applications: Wide Open to Attack in 2018. Primeon, https://www.primeon.com/whitepaper/primeon_wp2_r.pdf?1 |
| [5] | Akamai. Slipping Through the Security Gaps: The Rise of Application and API Attacks. Akamai, https://www.akamai.com/blog/security/the-rise-of-application-and-api-attacks |
| [6] | Carielli, S., DeMartine, A., Provost, A.C. and Dostie, P. The Forrester Wave™: Web Application Firewalls, Q3 2022, The 12 Providers That Matter Most And How They Stack Up. Forrester, September, https://www.forrester.com/report/the-forrester-wave-tm-web-application-firewalls-q3-2022/RES176396 |
| [7] | Signal Sciences. Identifying Web Attack Indicators. Available from: https://info.signalsciences.com/rs/025-XKO-469/images/signal-sciences-white-paper-identifying-web-attack-indicators.pdf |
| [8] | FASTLY. 10 Key Capabilities of the Fastly Next-Gen WAF. FASTLY, 2022, https://learn.fastly.com/security-10-key-capabilities-of-fastlys-next-gen-waf.html |
| [9] | Na, J. Introducing Secure Application: True Runtime Application Self-Protection (RASP) for the Modern Application. CISCO App Dynamics, https://www.appdynamics.com/blog/product/application-security/ |
| [10] | Brumfield, C., & Haugli, B. Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework. Wiley, ISBN: 978-1-119-81628-7. |
| [11] | Geer, D. E. Jr., & McClure, S. (2016). How to Measure Anything in Cybersecurity. John Wiley & Sons, 2016, ISBN 978-1-119-08529-4. |
| [12] | Glas, B. (2020). Comparing BSIMM & SAMM: Building Security In Maturity Model (BSIMM) compared to Software Assurance Maturity Model (SAMM). https://owaspsamm.org/blog/2020/10/29/comparing-bsimm-and-samm/ |
| [13] | Kasturi, S., Li, X., Pickard, J., and Li, P. Understanding Statistical Correlation of Application Security Vulnerability Data from Detection and Monitoring Tools. 2023 33rd International Telecommunication Networks and Applications Conference, Melbourne, Australia, 2023, pp. 289-296, https://doi.org/10.1109/ITNAC59571.2023.10368476 |
| [14] | MITRE. 2023 CWE Top 25 Most Dangerous Software Weaknesses, CWE - 2023 CWE Top 25 Most Dangerous Software Weaknesses (mitre.org) |
| [15] | OWASP. OWASP Top 10. OWASP. https://owasp.org/Top10/ |
| [16] | MITRE. Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules. MITRE, https://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdfhttps://nvd.nist.gov/vuln |
| [17] | Warner, R. M. (2020) Applied Statistics – II Multivariable and Multivariate Techniques. SAGE Publications |
| [18] | Christopher, J. D. How to Mature ICS Security with Metrics. Industrial Control Systems Security, 2022. https://www.sans.org/blog/mature-ics-security-with-metrics/ |
| [19] | OWASP-API. OWASP API Security Top 10, OWASP. https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/ |
| [20] | Veracode. State Of Software Security Vol. 10. Veracode, https://www.veracode.com/sites/default/files/pdf/resources/sossreports/state-of-software-security-volume-10-veracode-report.pdf |
| [21] | Veracode. State Of Software Security Vol. 12. Veracode, https://www.veracode.com/sites/default/files/pdf/resources/sossreports/state-of-software-security-v12-nwm.pdf |
| [22] | SALT. State of API Security Q1 2023. SALT LABS, https://content.salt.security/rs/352-UXR-417/images/SaltSecurity-Report-State_of_API_Security.pdf |
| [23] | Morgan, S. (2021). 10 Hot Security Ratings Companies To Watch In 2021. Cybercrime Magazine, https://cybersecurityventures.com/security-ratings-companies/ |
| [24] | Hajrić, A., Smaka, T., Baraković, S., and Husić, J.B. Methods, Methodologies, and Tools for Threat Modeling with Case Study, Telfor Journal, Vol. 12, No. 1, 2020, https://scindeks.ceon.rs/Article.aspx?artid=1821-32512001056H |
| [25] | Xiong, W., Legrand, E., Aberg, O., and Lagerstrom, R. Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix. Software and Systems Modeling (2022) 21: 157–177 https://link.springer.com/article/10.1007/s10270-021-00898-7 |
APA Style
Kasturi, S., Li, X., Pickard, J., Li, P. (2024). Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model. American Journal of Software Engineering and Applications, 12(1), 5-13. https://doi.org/10.11648/j.ajsea.20241201.12
ACS Style
Kasturi, S.; Li, X.; Pickard, J.; Li, P. Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model. Am. J. Softw. Eng. Appl. 2024, 12(1), 5-13. doi: 10.11648/j.ajsea.20241201.12
AMA Style
Kasturi S, Li X, Pickard J, Li P. Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model. Am J Softw Eng Appl. 2024;12(1):5-13. doi: 10.11648/j.ajsea.20241201.12
Share This Article
Twitter
Linked In
Facebook
Copy
Download@article{10.11648/j.ajsea.20241201.12,
author = {Santanam Kasturi and Xiaolong Li and John Pickard and Peng Li},
title = {Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model},
journal = {American Journal of Software Engineering and Applications},
volume = {12},
number = {1},
pages = {5-13},
doi = {10.11648/j.ajsea.20241201.12},
url = {https://doi.org/10.11648/j.ajsea.20241201.12},
eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajsea.20241201.12},
abstract = {As part of a continuing research for evaluating threats posed for exposed attack surface, this study will provide a consolidated view of exploitability of vulnerable applications presenting a web attack surface of an organization exposed to an attacker. While testing and scanning technologies like Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), Application Ethical Hack (Penetration Testing), a monitoring technology like the Web Application Firewall (WAF) provides web traffic information of the number of transaction requests for every application under study. To ensure validity, reliability, and completeness of observation multiple applications must be observed. Research from a prior study is referenced that shows correlation between incoming WAF requests and existing vulnerabilities. Using correlation analysis, vulnerabilities metrics, and a threat model analysis help identify pathways to an attack. A vulnerability map-based attack tree can be developed using Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) information. The threat model analysis and vulnerability-based attack tree can help in simulation studies of possible attacks. This attack tree will show the linkages between vulnerabilities and a lineage pointing to how an attack could travel from the incoming WAF requests to deep down into the application code of exposed and existing, open vulnerabilities travelling laterally to create a more expanded attack crossing trust boundaries using application data flow.
},
year = {2024}
}
TY - JOUR T1 - Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model AU - Santanam Kasturi AU - Xiaolong Li AU - John Pickard AU - Peng Li Y1 - 2024/03/13 PY - 2024 N1 - https://doi.org/10.11648/j.ajsea.20241201.12 DO - 10.11648/j.ajsea.20241201.12 T2 - American Journal of Software Engineering and Applications JF - American Journal of Software Engineering and Applications JO - American Journal of Software Engineering and Applications SP - 5 EP - 13 PB - Science Publishing Group SN - 2327-249X UR - https://doi.org/10.11648/j.ajsea.20241201.12 AB - As part of a continuing research for evaluating threats posed for exposed attack surface, this study will provide a consolidated view of exploitability of vulnerable applications presenting a web attack surface of an organization exposed to an attacker. While testing and scanning technologies like Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), Application Ethical Hack (Penetration Testing), a monitoring technology like the Web Application Firewall (WAF) provides web traffic information of the number of transaction requests for every application under study. To ensure validity, reliability, and completeness of observation multiple applications must be observed. Research from a prior study is referenced that shows correlation between incoming WAF requests and existing vulnerabilities. Using correlation analysis, vulnerabilities metrics, and a threat model analysis help identify pathways to an attack. A vulnerability map-based attack tree can be developed using Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) information. The threat model analysis and vulnerability-based attack tree can help in simulation studies of possible attacks. This attack tree will show the linkages between vulnerabilities and a lineage pointing to how an attack could travel from the incoming WAF requests to deep down into the application code of exposed and existing, open vulnerabilities travelling laterally to create a more expanded attack crossing trust boundaries using application data flow. VL - 12 IS - 1 ER -
Department of Technology Management, Indiana State University, Terre Haute, USA
Information