American Journal of Software Engineering and Applications

Research Article | | Peer-Reviewed |

Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model

Received: 8 February 2024    Accepted: 23 February 2024    Published: 13 March 2024
Views:       Downloads:

Share This Article

Abstract

As part of a continuing research for evaluating threats posed for exposed attack surface, this study will provide a consolidated view of exploitability of vulnerable applications presenting a web attack surface of an organization exposed to an attacker. While testing and scanning technologies like Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), Application Ethical Hack (Penetration Testing), a monitoring technology like the Web Application Firewall (WAF) provides web traffic information of the number of transaction requests for every application under study. To ensure validity, reliability, and completeness of observation multiple applications must be observed. Research from a prior study is referenced that shows correlation between incoming WAF requests and existing vulnerabilities. Using correlation analysis, vulnerabilities metrics, and a threat model analysis help identify pathways to an attack. A vulnerability map-based attack tree can be developed using Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) information. The threat model analysis and vulnerability-based attack tree can help in simulation studies of possible attacks. This attack tree will show the linkages between vulnerabilities and a lineage pointing to how an attack could travel from the incoming WAF requests to deep down into the application code of exposed and existing, open vulnerabilities travelling laterally to create a more expanded attack crossing trust boundaries using application data flow.

DOI 10.11648/j.ajsea.20241201.12
Published in American Journal of Software Engineering and Applications (Volume 12, Issue 1, June 2024)
Page(s) 5-13
Creative Commons

This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited.

Copyright

Copyright © The Author(s), 2024. Published by Science Publishing Group

Keywords

Application Security, Vulnerability Metrics, Correlation Analysis, Threat Model, Vulnerability Map, Attack Tree, Simulation Study, Remediation Prioritization

References
[1] Veracode. State Of Software Security Vol. 11. Veracode, state-of-software-security-volume-11-veracode-report.pdf
[2] Checkmarx. Correlation: The Application Security Testing Imperative in Modern Application Development”, Checkmarx, https://www.forrester.com/report/the-forrester-wave-software-composition-analysis-q3-2021/RES176091?ref_search=3502061_1674835391293&utm_source=PANTHEON_STRIPPED&utm_medium=email&utm_campaign=summit21na&utm_content=blog&categoryid=a89c0000000AKp1AAG%3Futm_source%3DPANTHEON_STRIPPED
[3] Carielli, S., DeMartine, A., Provost, A.C. and Dostie, P. The Forrester Wave™: Software Composition Analysis, Q3 2021-The 10 Providers That Matter Most And How They Stack Up. Forrester, August, https://www.forrester.com/report/the-forrester-wave-software-composition-analysis-q3-2021/RES176091?ref_search=3502061_1674835391293&utm_source=PANTHEON_STRIPPED&utm_medium=email&utm_campaign=summit21na&utm_content=blog&categoryid=a89c0000000AKp1AAG%3Futm_source%3DPANTHEON_STRIPPED
[4] Primeon. Enterprise Applications: Wide Open to Attack in 2018. Primeon, https://www.primeon.com/whitepaper/primeon_wp2_r.pdf?1
[5] Akamai. Slipping Through the Security Gaps: The Rise of Application and API Attacks. Akamai, https://www.akamai.com/blog/security/the-rise-of-application-and-api-attacks
[6] Carielli, S., DeMartine, A., Provost, A.C. and Dostie, P. The Forrester Wave™: Web Application Firewalls, Q3 2022, The 12 Providers That Matter Most And How They Stack Up. Forrester, September, https://www.forrester.com/report/the-forrester-wave-tm-web-application-firewalls-q3-2022/RES176396
[7] Signal Sciences. Identifying Web Attack Indicators. Available from: https://info.signalsciences.com/rs/025-XKO-469/images/signal-sciences-white-paper-identifying-web-attack-indicators.pdf
[8] FASTLY. 10 Key Capabilities of the Fastly Next-Gen WAF. FASTLY, 2022, https://learn.fastly.com/security-10-key-capabilities-of-fastlys-next-gen-waf.html
[9] Na, J. Introducing Secure Application: True Runtime Application Self-Protection (RASP) for the Modern Application. CISCO App Dynamics, https://www.appdynamics.com/blog/product/application-security/
[10] Brumfield, C., & Haugli, B. Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework. Wiley, ISBN: 978-1-119-81628-7.
[11] Geer, D. E. Jr., & McClure, S. (2016). How to Measure Anything in Cybersecurity. John Wiley & Sons, 2016, ISBN 978-1-119-08529-4.
[12] Glas, B. (2020). Comparing BSIMM & SAMM: Building Security In Maturity Model (BSIMM) compared to Software Assurance Maturity Model (SAMM). https://owaspsamm.org/blog/2020/10/29/comparing-bsimm-and-samm/
[13] Kasturi, S., Li, X., Pickard, J., and Li, P. Understanding Statistical Correlation of Application Security Vulnerability Data from Detection and Monitoring Tools. 2023 33rd International Telecommunication Networks and Applications Conference, Melbourne, Australia, 2023, pp. 289-296, https://doi.org/10.1109/ITNAC59571.2023.10368476
[14] MITRE. 2023 CWE Top 25 Most Dangerous Software Weaknesses, CWE - 2023 CWE Top 25 Most Dangerous Software Weaknesses (mitre.org)
[15] OWASP. OWASP Top 10. OWASP. https://owasp.org/Top10/
[16] MITRE. Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules. MITRE, https://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdfhttps://nvd.nist.gov/vuln
[17] Warner, R. M. (2020) Applied Statistics – II Multivariable and Multivariate Techniques. SAGE Publications
[18] Christopher, J. D. How to Mature ICS Security with Metrics. Industrial Control Systems Security, 2022. https://www.sans.org/blog/mature-ics-security-with-metrics/
[19] OWASP-API. OWASP API Security Top 10, OWASP. https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/
[20] Veracode. State Of Software Security Vol. 10. Veracode, https://www.veracode.com/sites/default/files/pdf/resources/sossreports/state-of-software-security-volume-10-veracode-report.pdf
[21] Veracode. State Of Software Security Vol. 12. Veracode, https://www.veracode.com/sites/default/files/pdf/resources/sossreports/state-of-software-security-v12-nwm.pdf
[22] SALT. State of API Security Q1 2023. SALT LABS, https://content.salt.security/rs/352-UXR-417/images/SaltSecurity-Report-State_of_API_Security.pdf
[23] Morgan, S. (2021). 10 Hot Security Ratings Companies To Watch In 2021. Cybercrime Magazine, https://cybersecurityventures.com/security-ratings-companies/
[24] Hajrić, A., Smaka, T., Baraković, S., and Husić, J.B. Methods, Methodologies, and Tools for Threat Modeling with Case Study, Telfor Journal, Vol. 12, No. 1, 2020, https://scindeks.ceon.rs/Article.aspx?artid=1821-32512001056H
[25] Xiong, W., Legrand, E., Aberg, O., and Lagerstrom, R. Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix. Software and Systems Modeling (2022) 21: 157–177 https://link.springer.com/article/10.1007/s10270-021-00898-7
Cite This Article
  • APA Style

    Kasturi, S., Li, X., Pickard, J., Li, P. (2024). Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model. American Journal of Software Engineering and Applications, 12(1), 5-13. https://doi.org/10.11648/j.ajsea.20241201.12

    Copy | Download

    ACS Style

    Kasturi, S.; Li, X.; Pickard, J.; Li, P. Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model. Am. J. Softw. Eng. Appl. 2024, 12(1), 5-13. doi: 10.11648/j.ajsea.20241201.12

    Copy | Download

    AMA Style

    Kasturi S, Li X, Pickard J, Li P. Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model. Am J Softw Eng Appl. 2024;12(1):5-13. doi: 10.11648/j.ajsea.20241201.12

    Copy | Download

  • @article{10.11648/j.ajsea.20241201.12,
      author = {Santanam Kasturi and Xiaolong Li and John Pickard and Peng Li},
      title = {Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model},
      journal = {American Journal of Software Engineering and Applications},
      volume = {12},
      number = {1},
      pages = {5-13},
      doi = {10.11648/j.ajsea.20241201.12},
      url = {https://doi.org/10.11648/j.ajsea.20241201.12},
      eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajsea.20241201.12},
      abstract = {As part of a continuing research for evaluating threats posed for exposed attack surface, this study will provide a consolidated view of exploitability of vulnerable applications presenting a web attack surface of an organization exposed to an attacker. While testing and scanning technologies like Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), Application Ethical Hack (Penetration Testing), a monitoring technology like the Web Application Firewall (WAF) provides web traffic information of the number of transaction requests for every application under study. To ensure validity, reliability, and completeness of observation multiple applications must be observed. Research from a prior study is referenced that shows correlation between incoming WAF requests and existing vulnerabilities. Using correlation analysis, vulnerabilities metrics, and a threat model analysis help identify pathways to an attack. A vulnerability map-based attack tree can be developed using Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) information. The threat model analysis and vulnerability-based attack tree can help in simulation studies of possible attacks. This attack tree will show the linkages between vulnerabilities and a lineage pointing to how an attack could travel from the incoming WAF requests to deep down into the application code of exposed and existing, open vulnerabilities travelling laterally to create a more expanded attack crossing trust boundaries using application data flow.
    },
     year = {2024}
    }
    

    Copy | Download

  • TY  - JOUR
    T1  - Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model
    AU  - Santanam Kasturi
    AU  - Xiaolong Li
    AU  - John Pickard
    AU  - Peng Li
    Y1  - 2024/03/13
    PY  - 2024
    N1  - https://doi.org/10.11648/j.ajsea.20241201.12
    DO  - 10.11648/j.ajsea.20241201.12
    T2  - American Journal of Software Engineering and Applications
    JF  - American Journal of Software Engineering and Applications
    JO  - American Journal of Software Engineering and Applications
    SP  - 5
    EP  - 13
    PB  - Science Publishing Group
    SN  - 2327-249X
    UR  - https://doi.org/10.11648/j.ajsea.20241201.12
    AB  - As part of a continuing research for evaluating threats posed for exposed attack surface, this study will provide a consolidated view of exploitability of vulnerable applications presenting a web attack surface of an organization exposed to an attacker. While testing and scanning technologies like Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), Application Ethical Hack (Penetration Testing), a monitoring technology like the Web Application Firewall (WAF) provides web traffic information of the number of transaction requests for every application under study. To ensure validity, reliability, and completeness of observation multiple applications must be observed. Research from a prior study is referenced that shows correlation between incoming WAF requests and existing vulnerabilities. Using correlation analysis, vulnerabilities metrics, and a threat model analysis help identify pathways to an attack. A vulnerability map-based attack tree can be developed using Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) information. The threat model analysis and vulnerability-based attack tree can help in simulation studies of possible attacks. This attack tree will show the linkages between vulnerabilities and a lineage pointing to how an attack could travel from the incoming WAF requests to deep down into the application code of exposed and existing, open vulnerabilities travelling laterally to create a more expanded attack crossing trust boundaries using application data flow.
    
    VL  - 12
    IS  - 1
    ER  - 

    Copy | Download

Author Information
  • Department of Technology Management, Indiana State University, Terre Haute, USA

  • Department of Electronics and Computer Engineering, Indiana State University, Terre Haute, USA

  • Department of Technology Systems, East Carolina University, Greenville, USA

  • Department of Technology Systems, East Carolina University, Greenville, USA

  • Sections