Systematic Review of Web Application Security Vulnerabilities Detection Methods

In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.

[1]  Richard F. Paige,et al.  Agile development of secure web applications , 2006, ICWE '06.

[2]  Blessing Ojuloge,et al.  Web application vulnerability assessment and policy direction towards a secure smart government , 2014, Gov. Inf. Q..

[3]  M.I.P. Salas,et al.  Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security , 2014, CLEI Selected Papers.

[4]  Katerina Goseva-Popstojanova,et al.  Characterization and classification of malicious Web traffic , 2014, Comput. Secur..

[5]  Yashwant K. Malaiya,et al.  Modeling vulnerability discovery process in Apache and IIS HTTP servers , 2011, Comput. Secur..

[6]  Gary McGraw,et al.  Building Secure Software : ソフトウェアセキュリティについて開発者が知っているべきこと , 2006 .

[7]  Teh Faradilla Abdul Rahman,et al.  Detection model for SQL injection attack: An approach for preventing a web application from the SQL injection attack , 2014, 2014 IEEE Symposium on Computer Applications and Industrial Electronics (ISCAIE).

[8]  Lwin Khin Shar,et al.  Automated removal of cross site scripting vulnerabilities in web applications , 2012, Inf. Softw. Technol..

[9]  Lwin Khin Shar,et al.  Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns , 2013, Inf. Softw. Technol..

[10]  Mohd Hasan Selamat,et al.  Secure e-commerce web development framework , 2011 .

[11]  SharLwin Khin,et al.  Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns , 2013 .

[12]  Mohammad Zulkernine,et al.  Effective detection of vulnerable and malicious browser extensions , 2014, Comput. Secur..

[13]  Jin-Young Choi,et al.  Detecting SQL injection attacks using query result size , 2014, Comput. Secur..

[14]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[15]  Emilia Mendes,et al.  A Systematic Literature Review of Software Process Improvement in Small and Medium Web Companies , 2009, FGIT-ASEA.

[16]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[17]  Shangguang Wang,et al.  Service vulnerability scanning based on service-oriented architecture in Web service environments , 2013, J. Syst. Archit..

[18]  Engin Kirda,et al.  Have things changed now? An empirical study on input validation vulnerabilities in web applications , 2012, Comput. Secur..

[19]  Mark Micallef,et al.  A Multi-Tier, Multi-Role Security Framework for E-Commerce Systems , 2007, 14th Annual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems (ECBS'07).

[20]  Mariano Ceccato,et al.  Comparison and integration of genetic algorithms and dynamic symbolic execution for security testing of cross-site scripting vulnerabilities , 2013, Inf. Softw. Technol..

[21]  Jan Jürjens,et al.  Towards a Comprehensive Framework for Secure Systems Development , 2006, CAiSE.