A Comparative Analysis of Combined Open Source Versus Commercial Vulnerability Scanning Tools in Detection Effectiveness for Web Applications Based on Open Worldwide Application Security Project (OWASP) Top 10
Dubinin, Arkadii (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202501292070
https://urn.fi/URN:NBN:fi:amk-202501292070
Tiivistelmä
Web applications have become one of the main ways of interaction between clients and service providers. Nowadays, anyone can shop, make an appointment, communicate, learn, sell, and more online. Web applications are used in all sectors and industries, allowing instant service delivery for any age group. This places certain obligations on service providers to ensure secure communication and client data safety. Government agencies and international organizations provide guidelines and frameworks to regulate this process. In the European Union, one of the known organizations is ENISA; in the United States, there are NIST and CIS; in the United Kingdom NCSC, there are also international organizations such as OWASP, ISO, and IEC.
The modern web applications are no longer as simple and static as before. Each application had become complex and adaptive. Today, modern applications represent a complex interaction system between the client and service provider, which collects information about the user and provides additional functionality through the application programming interface (API). To successfully protect and analyze those applications, providers need tools that can perform security assessments conveniently and quickly while providing information about threats in a straightforward, understandable, and usable form. In addition, such tools should include functionality for making security scanning based on guidelines and frameworks provided by regulatory organizations.
This product-based thesis integrates both business and technical aspects, allowing the research to be analyzed from multiple perspectives. It aims to identify best practices for securing a digital business presence while also serving as a method for developing a new product. On the technical side, it functions as a practical guide for implementing a new solution, configuring automation, and utilizing vulnerability assessment tools. However, the primary goal of this research is to evaluate the effectiveness of combined open-source solution compared to established commercial assessment tools for detecting vulnerabilities, based on a selected regulatory guideline.
The objectives of this study were achieved as planned. The structure of the modern web application was discussed. Based on a chosen guideline, the open-source tools were combined and compared to commercial tools for detecting vulnerabilities in vulnerable web applications. The user interface of commercial tools was assessed, and a dashboard connected with a set of open-source tools was successfully proposed and implemented.
The modern web applications are no longer as simple and static as before. Each application had become complex and adaptive. Today, modern applications represent a complex interaction system between the client and service provider, which collects information about the user and provides additional functionality through the application programming interface (API). To successfully protect and analyze those applications, providers need tools that can perform security assessments conveniently and quickly while providing information about threats in a straightforward, understandable, and usable form. In addition, such tools should include functionality for making security scanning based on guidelines and frameworks provided by regulatory organizations.
This product-based thesis integrates both business and technical aspects, allowing the research to be analyzed from multiple perspectives. It aims to identify best practices for securing a digital business presence while also serving as a method for developing a new product. On the technical side, it functions as a practical guide for implementing a new solution, configuring automation, and utilizing vulnerability assessment tools. However, the primary goal of this research is to evaluate the effectiveness of combined open-source solution compared to established commercial assessment tools for detecting vulnerabilities, based on a selected regulatory guideline.
The objectives of this study were achieved as planned. The structure of the modern web application was discussed. Based on a chosen guideline, the open-source tools were combined and compared to commercial tools for detecting vulnerabilities in vulnerable web applications. The user interface of commercial tools was assessed, and a dashboard connected with a set of open-source tools was successfully proposed and implemented.