SCAnME - scanner comparative analysis and metrics for evaluation

SCAnME - scanner comparative analysis and metrics for evaluation

연구 분야: Strategies

학회: International Journal of Information Security

The increasing number of cyber attacks on web applications requires developers and security professionals to test those applications and patch any vulnerabilities. Web application vulnerability scanners can be helpful when performing penetration testing and ensuring application security. This research proposes a methodology for evaluating Dynamic Application Security Testing (DAST) scanners. The methodology compares functionality, performance, effectiveness in finding vulnerabilities, report quality, and usability. The effectiveness assessment focuses on vulnerabilities belonging to the Open Worldwide Application Security Project (OWASP) Top 10. During the research, to demonstrate the methodology’s applicability, four scanners, ZAP, Wapiti, w4af, and Codename SCNR, were evaluated by scanning two web applications, OWASP Juice Shop and OWASP VulnerableApp. The evaluation confirmed that certain scanners excel in different areas and their usefulness varies depending on the application. Additionally, the study revealed that tested DAST scanners can detect vulnerabilities belonging only to specific OWASP Top 10 categories.