Holistic Web Application Security Visualization for Multi-Project and Multi-Phase Dynamic Application Security Test Results


Sonmez F. O. , GÜNEL KILIÇ B.

IEEE ACCESS, vol.9, pp.25858-25884, 2021 (Peer-Reviewed Journal) identifier identifier

  • Publication Type: Article / Article
  • Volume: 9
  • Publication Date: 2021
  • Doi Number: 10.1109/access.2021.3057044
  • Journal Name: IEEE ACCESS
  • Journal Indexes: Science Citation Index Expanded, Scopus, Compendex, INSPEC, Directory of Open Access Journals
  • Page Numbers: pp.25858-25884
  • Keywords: Tools, Security, Data visualization, Software, Application security, Prototypes, Monitoring, Computer security, information security, visualization, software engineering, web and internet services, dynamic application security testing, DAST, black-box test

Abstract

As the number of web applications and the corresponding number and sophistication of the threats increases, creating new tools that are efficient and accessible becomes essential. Although there is much research concentrating on network security visualizations, there are only a few studies considering the web application vulnerabilities' possible visualization options. Consequently, to fill this gap, this research centers around a novel perception configuration to improve web application vulnerability monitoring. This study forms a generic data structure based on data sources that might be readily associated and commonly available for the majority of the web applications. The primary contribution of this study is a new dashboard tool for visualizing dynamic application security test results. Another contribution is the metrics/measures that the tool presents. The paper also describes a validation study in which participants answered quiz questions upon using the tool prototype. For the case study, sample data has been generated using the OWASP ZAP scanner tool and a prototype has been implemented to be used for validation purposes. This study allows the investigation of fifty metrics/measures for the multi-project/phase environment that enhances its benefits if the user aims to monitor a series of analyses' results and the changes between them for more than one web project.