In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementi...In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementing robust security measures in modern web applications and the proof of the Methodology applied to Vue.js,Spring Boot,and MySQL architecture.The proposed approach addresses critical security challenges through a multi-layered framework that encompasses essential security dimensions including multi-factor authentication,fine-grained authorization controls,sophisticated session management,data confidentiality and integrity protection,secure logging mechanisms,comprehensive error handling,high availability strategies,advanced input validation,and security headers implementation.Significant contributions are made to the field of web application security.First,a detailed catalogue of security requirements specifically tailored to protect web applications against contemporary threats,backed by rigorous analysis and industry best practices.Second,the methodology is validated through a carefully designed proof-of-concept implementation in a controlled environment,demonstrating the practical effectiveness of the security measures.The validation process employs cutting-edge static and dynamic analysis tools for comprehensive dependency validation and vulnerability detection,ensuring robust security coverage.The validation results confirm the prevention and avoidance of security vulnerabilities of the methodology.A key innovation of this work is the seamless integration of DevSecOps practices throughout the secure Software Development Life Cycle(SSDLC),creating a security-first mindset from initial design to deployment.By combining proactive secure coding practices with defensive security approaches,a framework is established that not only strengthens application security but also fosters a culture of security awareness within development teams.This hybrid approach ensures that security considerations are woven into every aspect of the development process,rather than being treated as an afterthought.展开更多
Emergency medical services (EMS) are a vital element of the public healthcare system in China,^([1])providing an opportunity to respond to critical medical conditions and save people’s lives.^([2])The accessibility o...Emergency medical services (EMS) are a vital element of the public healthcare system in China,^([1])providing an opportunity to respond to critical medical conditions and save people’s lives.^([2])The accessibility of EMS has received considerable attention in health and transport geography studies.^([3])One of the optimal gauges for evaluating the accessibility of EMS is the response time,which is defined as the time from receiving an emergency call to the arrival of an ambulance.^([4])Beijing has already reduced the response time to approximately12 min,and the next goal is to ensure that the response time across Beijing does not exceed 12 min (the information comes from the Beijing Emergency Medical Center).展开更多
Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint r...Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint recognition methods,which rely on preannotated feature matching,face inherent limitations due to the ever-evolving nature and diverse landscape of web applications.In response to these challenges,this work proposes an innovative web application fingerprint recognition method founded on clustering techniques.The method involves extensive data collection from the Tranco List,employing adjusted feature selection built upon Wappalyzer and noise reduction through truncated SVD dimensionality reduction.The core of the methodology lies in the application of the unsupervised OPTICS clustering algorithm,eliminating the need for preannotated labels.By transforming web applications into feature vectors and leveraging clustering algorithms,our approach accurately categorizes diverse web applications,providing comprehensive and precise fingerprint recognition.The experimental results,which are obtained on a dataset featuring various web application types,affirm the efficacy of the method,demonstrating its ability to achieve high accuracy and broad coverage.This novel approach not only distinguishes between different web application types effectively but also demonstrates superiority in terms of classification accuracy and coverage,offering a robust solution to the challenges of web application fingerprint recognition.展开更多
This paper presents a reference methodology for process orchestration that accelerates the development of Large Language Model (LLM) applications by integrating knowledge bases, API access, and deep web retrieval. By ...This paper presents a reference methodology for process orchestration that accelerates the development of Large Language Model (LLM) applications by integrating knowledge bases, API access, and deep web retrieval. By incorporating structured knowledge, the methodology enhances LLMs’ reasoning abilities, enabling more accurate and efficient handling of complex tasks. Integration with open APIs allows LLMs to access external services and real-time data, expanding their functionality and application range. Through real-world case studies, we demonstrate that this approach significantly improves the efficiency and adaptability of LLM-based applications, especially for time-sensitive tasks. Our methodology provides practical guidelines for developers to rapidly create robust and adaptable LLM applications capable of navigating dynamic information environments and performing effectively across diverse tasks.展开更多
This work leveraged predictive modeling techniques in machine learning (ML) to predict heart disease using a dataset sourced from the Center for Disease Control and Prevention in the US. The dataset was preprocessed a...This work leveraged predictive modeling techniques in machine learning (ML) to predict heart disease using a dataset sourced from the Center for Disease Control and Prevention in the US. The dataset was preprocessed and used to train five machine learning models: random forest, support vector machine, logistic regression, extreme gradient boosting and light gradient boosting. The goal was to use the best performing model to develop a web application capable of reliably predicting heart disease based on user-provided data. The extreme gradient boosting classifier provided the most reliable results with precision, recall and F1-score of 97%, 72%, and 83% respectively for Class 0 (no heart disease) and 21% (precision), 81% (recall) and 34% (F1-score) for Class 1 (heart disease). The model was further deployed as a web application.展开更多
This paper examines strategies for optimizing front-end page loading speed in complex Single-Page Applications(SPAs).Through quantitative analysis,it evaluates the effectiveness of various optimization techniques,incl...This paper examines strategies for optimizing front-end page loading speed in complex Single-Page Applications(SPAs).Through quantitative analysis,it evaluates the effectiveness of various optimization techniques,including resource compression,code-splitting,and network caching.Key findings reveal that intelligent resource preloading,adaptive frameworks,and cross-device optimization significantly enhance loading speed and user experience.The study underscores the importance of combining these strategies to address the challenges posed by complex SPAs and achieve robust performance improvements.Additionally,it explores how emerging technologies like machine learning and server-side rendering can further refine optimization practices.展开更多
In order to improve the efficiency of regression testing in web application,the control flow graph and the greedy algorithm are adopted.This paper considers a web page as a basic unit and introduces a test case select...In order to improve the efficiency of regression testing in web application,the control flow graph and the greedy algorithm are adopted.This paper considers a web page as a basic unit and introduces a test case selection method for web application regression testing based on the control flow graph.This method is safe enough to the test case selection.On the base of features of request sequence in web application,the minimization technique and the priority of test cases are taken into consideration in the process of execution of test cases in regression testing for web application.The improved greedy algorithm is also raised resulting in optimization of execution of test cases.The experiments indicate that the number of test cases which need to be retested is reduced,and the efficiency of execution of test cases is also improved.展开更多
In order to analyze and test the component-based web application and decide when to stop the testing process, the concept of coverage criteria and test requirement reduction approach are proposed. First, four adequacy...In order to analyze and test the component-based web application and decide when to stop the testing process, the concept of coverage criteria and test requirement reduction approach are proposed. First, four adequacy criteria are defined and subsumption relationships among them are proved. Then, a translation algorithm is presented to transfer the test model into a web application decision-to-decision graph(WADDGraph)which is used to reduce testing requirements. Finally, different sets of test requirements can be generated from WADDGraph by analyzing subsumption and equivalence relationships among edges based on different coverage criteria, and testers can select different test requirements according to different testing environments. The case study indicates that coverage criteria follow linear subsumption relationships in real web applications. Test requirements can be reduced more than 55% on average based on different coverage criteria and the size of test requirements increases with the increase in the complexity of the coverage criteria.展开更多
Ajax is really several technologies,each flourishing in its own right,coming together in powerful new ways,which consists of HTML,JavaScript^(TM)technology,DHTML,and DOM,is an outstanding approach that helps to transf...Ajax is really several technologies,each flourishing in its own right,coming together in powerful new ways,which consists of HTML,JavaScript^(TM)technology,DHTML,and DOM,is an outstanding approach that helps to transform clunky Web interfaces into interactive Ajax applications.After the definition to Ajax,how to make asynchronous requests with JavaScript and Ajax was introduced.At the end,advanced requests and responses in Ajax were put forward.展开更多
Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to ca...Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to carry out the form testing by different methods in the related testing phases. Namely, at first, automatically abstracting forms in the Web pages by parsing the HTML documents; then, ohtai ning the testing data with a certain strategies, such as by requirement specifications, by mining users' hefore input informarion or by recording meehanism; and next executing the testing actions automatically due to the well formed test cases; finally, a case study is given to illustrate the convenient and effective of these methods.展开更多
A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagra...A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagram as the object model is employed to describe the object structure of a Web application design and can be translated into the behavior model. A key problem of model checking-based test generation for a Web application is how to construct a set of trap properties that intend to cause the violations of model checking against the behavior model and output of counterexamples used to construct the test sequences. We give an algorithm that derives trap properties from the object model with respect to node and edge coverage criteria.展开更多
‘‘Web ground control"(web GC) provides users with instantaneous access to mine design applications anywhere, at any time, through a web browser.Utilizing a web-based multiple-tier architecture, users are able t...‘‘Web ground control"(web GC) provides users with instantaneous access to mine design applications anywhere, at any time, through a web browser.Utilizing a web-based multiple-tier architecture, users are able to easily access ground control designs, perform on-demand calculations in the field, as well as facilitate project collaborations across multiple users, devices, and operating systems.Currently, the web GC platform contains five ground control related design applications previously developed and distributed by the US National Institute of Occupational Safety and Health(NIOSH), that is, analysis of roof bolt stability(ARBS), analysis of longwall pillar stability(ALPS), analysis of retreat mining stability(ARMPS), analysis of retreat mining stability–highwall mining(ARMPS-HWM), and analysis of horizontal stress in mining(AHSM).With respect to design decisions made by the web GC development team, the web GC platform will be able to further integrate future mine design applications providing the mining industry with one of a kind umbrella suite of ground control related software available at ones fingertips.The following paper provides a detailed overview on the current state of the web GC platform with discussions ranging from back-end database development and design to the front-end user-platform interface.Based on current progress in platform development as well as beta testing results, the web GC platform is scheduled for release in the fall of 2018.展开更多
To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities ...To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.展开更多
In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed eit...In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.展开更多
Software engineering's lifecycle models havc proven to be very important for traditional software development. However, can these models be applied to the development of Web-based applications as well? In recent yea...Software engineering's lifecycle models havc proven to be very important for traditional software development. However, can these models be applied to the development of Web-based applications as well? In recent years, Web-based applications have become more and more complicated and a lot of efforts have been placed on introducing new technologies such as J2EE, PhP, and .NET, etc., which have been universally accepted as the development technologies for Web-based applications. However, there is no universally accepted process model for the development of Web-based applications. Moreover, shaping the process model for small medium-sized enterprises (SMEs), which have limited resources, has been relatively neglected. Based on our previous work, this paper presents an expanded lifecycle process model for the development of Web-based applications in SMEs. It consists of three sets of processes, i.e., requirement processes, development processes, and evolution processes. Particularly, the post-delivery evolution processes are important to SMEs to develop and maintain quality web applications with limited resources and time.展开更多
文摘In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementing robust security measures in modern web applications and the proof of the Methodology applied to Vue.js,Spring Boot,and MySQL architecture.The proposed approach addresses critical security challenges through a multi-layered framework that encompasses essential security dimensions including multi-factor authentication,fine-grained authorization controls,sophisticated session management,data confidentiality and integrity protection,secure logging mechanisms,comprehensive error handling,high availability strategies,advanced input validation,and security headers implementation.Significant contributions are made to the field of web application security.First,a detailed catalogue of security requirements specifically tailored to protect web applications against contemporary threats,backed by rigorous analysis and industry best practices.Second,the methodology is validated through a carefully designed proof-of-concept implementation in a controlled environment,demonstrating the practical effectiveness of the security measures.The validation process employs cutting-edge static and dynamic analysis tools for comprehensive dependency validation and vulnerability detection,ensuring robust security coverage.The validation results confirm the prevention and avoidance of security vulnerabilities of the methodology.A key innovation of this work is the seamless integration of DevSecOps practices throughout the secure Software Development Life Cycle(SSDLC),creating a security-first mindset from initial design to deployment.By combining proactive secure coding practices with defensive security approaches,a framework is established that not only strengthens application security but also fosters a culture of security awareness within development teams.This hybrid approach ensures that security considerations are woven into every aspect of the development process,rather than being treated as an afterthought.
基金supported by National Key Research & Development Program of China (2022YFC3006201)。
文摘Emergency medical services (EMS) are a vital element of the public healthcare system in China,^([1])providing an opportunity to respond to critical medical conditions and save people’s lives.^([2])The accessibility of EMS has received considerable attention in health and transport geography studies.^([3])One of the optimal gauges for evaluating the accessibility of EMS is the response time,which is defined as the time from receiving an emergency call to the arrival of an ambulance.^([4])Beijing has already reduced the response time to approximately12 min,and the next goal is to ensure that the response time across Beijing does not exceed 12 min (the information comes from the Beijing Emergency Medical Center).
基金supported in part by the National Science Foundation of China under Grants U22B2027,62172297,62102262,61902276 and 62272311,Tianjin Intelligent Manufacturing Special Fund Project under Grant 20211097the China Guangxi Science and Technology Plan Project(Guangxi Science and Technology Base and Talent Special Project)under Grant AD23026096(Application Number 2022AC20001)+1 种基金Hainan Provincial Natural Science Foundation of China under Grant 622RC616CCF-Nsfocus Kunpeng Fund Project under Grant CCF-NSFOCUS202207.
文摘Web application fingerprint recognition is an effective security technology designed to identify and classify web applications,thereby enhancing the detection of potential threats and attacks.Traditional fingerprint recognition methods,which rely on preannotated feature matching,face inherent limitations due to the ever-evolving nature and diverse landscape of web applications.In response to these challenges,this work proposes an innovative web application fingerprint recognition method founded on clustering techniques.The method involves extensive data collection from the Tranco List,employing adjusted feature selection built upon Wappalyzer and noise reduction through truncated SVD dimensionality reduction.The core of the methodology lies in the application of the unsupervised OPTICS clustering algorithm,eliminating the need for preannotated labels.By transforming web applications into feature vectors and leveraging clustering algorithms,our approach accurately categorizes diverse web applications,providing comprehensive and precise fingerprint recognition.The experimental results,which are obtained on a dataset featuring various web application types,affirm the efficacy of the method,demonstrating its ability to achieve high accuracy and broad coverage.This novel approach not only distinguishes between different web application types effectively but also demonstrates superiority in terms of classification accuracy and coverage,offering a robust solution to the challenges of web application fingerprint recognition.
文摘This paper presents a reference methodology for process orchestration that accelerates the development of Large Language Model (LLM) applications by integrating knowledge bases, API access, and deep web retrieval. By incorporating structured knowledge, the methodology enhances LLMs’ reasoning abilities, enabling more accurate and efficient handling of complex tasks. Integration with open APIs allows LLMs to access external services and real-time data, expanding their functionality and application range. Through real-world case studies, we demonstrate that this approach significantly improves the efficiency and adaptability of LLM-based applications, especially for time-sensitive tasks. Our methodology provides practical guidelines for developers to rapidly create robust and adaptable LLM applications capable of navigating dynamic information environments and performing effectively across diverse tasks.
文摘This work leveraged predictive modeling techniques in machine learning (ML) to predict heart disease using a dataset sourced from the Center for Disease Control and Prevention in the US. The dataset was preprocessed and used to train five machine learning models: random forest, support vector machine, logistic regression, extreme gradient boosting and light gradient boosting. The goal was to use the best performing model to develop a web application capable of reliably predicting heart disease based on user-provided data. The extreme gradient boosting classifier provided the most reliable results with precision, recall and F1-score of 97%, 72%, and 83% respectively for Class 0 (no heart disease) and 21% (precision), 81% (recall) and 34% (F1-score) for Class 1 (heart disease). The model was further deployed as a web application.
文摘This paper examines strategies for optimizing front-end page loading speed in complex Single-Page Applications(SPAs).Through quantitative analysis,it evaluates the effectiveness of various optimization techniques,including resource compression,code-splitting,and network caching.Key findings reveal that intelligent resource preloading,adaptive frameworks,and cross-device optimization significantly enhance loading speed and user experience.The study underscores the importance of combining these strategies to address the challenges posed by complex SPAs and achieve robust performance improvements.Additionally,it explores how emerging technologies like machine learning and server-side rendering can further refine optimization practices.
基金The National Natural Science Foundation of China(No.60503020,60503033,60703086)Opening Foundation of Jiangsu Key Laboratory of Computer Information Processing Technology in Soochow University(No.KJS0714)
文摘In order to improve the efficiency of regression testing in web application,the control flow graph and the greedy algorithm are adopted.This paper considers a web page as a basic unit and introduces a test case selection method for web application regression testing based on the control flow graph.This method is safe enough to the test case selection.On the base of features of request sequence in web application,the minimization technique and the priority of test cases are taken into consideration in the process of execution of test cases in regression testing for web application.The improved greedy algorithm is also raised resulting in optimization of execution of test cases.The experiments indicate that the number of test cases which need to be retested is reduced,and the efficiency of execution of test cases is also improved.
基金The National Natural Science Foundation of China(No.90818027,60873050)the National High Technology Research andDevelopment Program of China (863 Program) (No.2009AA01Z147)+2 种基金Opening Foundation of State Key Laboratory Software Engineering in Wu-han University(No.SKLSE20080717)Opening Foundation of State KeyLaboratory for Novel Software Technology in Nanjing University(No.ZZ-KT2008F12)the Key Laboratory Foundation of Shanghai Municipal Science and Technology Commission (No.09DZ2272600)
文摘In order to analyze and test the component-based web application and decide when to stop the testing process, the concept of coverage criteria and test requirement reduction approach are proposed. First, four adequacy criteria are defined and subsumption relationships among them are proved. Then, a translation algorithm is presented to transfer the test model into a web application decision-to-decision graph(WADDGraph)which is used to reduce testing requirements. Finally, different sets of test requirements can be generated from WADDGraph by analyzing subsumption and equivalence relationships among edges based on different coverage criteria, and testers can select different test requirements according to different testing environments. The case study indicates that coverage criteria follow linear subsumption relationships in real web applications. Test requirements can be reduced more than 55% on average based on different coverage criteria and the size of test requirements increases with the increase in the complexity of the coverage criteria.
文摘在7月份的微软全球合作伙伴大会上,微软正式宣布了Office 2010的第一个“半公开”测试版本:Office 2010 Technical Preview和SharePoint 2010 Technical Preview。前者是“传统”的Office客户端程序,后者则定位成“Business Collaboration Platform for the Enteprise and the Web”的下一代Office服务器产品。之所以说它是“半公开”,是因为这个测试版本并非提供给所有用户下载试用,而是通过注册和邀请的方式,只提供给部分特定的测试用户使用。
文摘Ajax is really several technologies,each flourishing in its own right,coming together in powerful new ways,which consists of HTML,JavaScript^(TM)technology,DHTML,and DOM,is an outstanding approach that helps to transform clunky Web interfaces into interactive Ajax applications.After the definition to Ajax,how to make asynchronous requests with JavaScript and Ajax was introduced.At the end,advanced requests and responses in Ajax were put forward.
基金Supported by the National Natural Science Foun-dation of China (60425206 ,90412003 ,60503033)the National Bas-ic Research Program of China (973 Program 2002CB312000 ) Opening Foundation of State Key Laboratory of Software Engineeringin Wuhan University, High Technology Research Project of JiangsuProvince (BG2005032)
文摘Forms enhance both the dynamic and interactive abilities of Web applications and the system complexity. And it is especially important to test forms completely and thoroughly. Therefore, this paper discusses how to carry out the form testing by different methods in the related testing phases. Namely, at first, automatically abstracting forms in the Web pages by parsing the HTML documents; then, ohtai ning the testing data with a certain strategies, such as by requirement specifications, by mining users' hefore input informarion or by recording meehanism; and next executing the testing actions automatically due to the well formed test cases; finally, a case study is given to illustrate the convenient and effective of these methods.
基金Supported by the National Natural Science Foundation of China (60673115)the National Basic Research Program of China (973 Program) (2002CB312001)the Open Foundation of State Key Laboratory of Soft-ware Engineering (SKLSE05-13)
文摘A formal model representing the navigation behavior of a Web application as the Kripke structure is proposed and an approach that applies model checking to test case generation is presented. The Object Relation Diagram as the object model is employed to describe the object structure of a Web application design and can be translated into the behavior model. A key problem of model checking-based test generation for a Web application is how to construct a set of trap properties that intend to cause the violations of model checking against the behavior model and output of counterexamples used to construct the test sequences. We give an algorithm that derives trap properties from the object model with respect to node and edge coverage criteria.
基金sponsored by the Alpha Foundation for the Improvement of Mine Safety and Health, Inc
文摘‘‘Web ground control"(web GC) provides users with instantaneous access to mine design applications anywhere, at any time, through a web browser.Utilizing a web-based multiple-tier architecture, users are able to easily access ground control designs, perform on-demand calculations in the field, as well as facilitate project collaborations across multiple users, devices, and operating systems.Currently, the web GC platform contains five ground control related design applications previously developed and distributed by the US National Institute of Occupational Safety and Health(NIOSH), that is, analysis of roof bolt stability(ARBS), analysis of longwall pillar stability(ALPS), analysis of retreat mining stability(ARMPS), analysis of retreat mining stability–highwall mining(ARMPS-HWM), and analysis of horizontal stress in mining(AHSM).With respect to design decisions made by the web GC development team, the web GC platform will be able to further integrate future mine design applications providing the mining industry with one of a kind umbrella suite of ground control related software available at ones fingertips.The following paper provides a detailed overview on the current state of the web GC platform with discussions ranging from back-end database development and design to the front-end user-platform interface.Based on current progress in platform development as well as beta testing results, the web GC platform is scheduled for release in the fall of 2018.
文摘To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.
文摘In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.
文摘Software engineering's lifecycle models havc proven to be very important for traditional software development. However, can these models be applied to the development of Web-based applications as well? In recent years, Web-based applications have become more and more complicated and a lot of efforts have been placed on introducing new technologies such as J2EE, PhP, and .NET, etc., which have been universally accepted as the development technologies for Web-based applications. However, there is no universally accepted process model for the development of Web-based applications. Moreover, shaping the process model for small medium-sized enterprises (SMEs), which have limited resources, has been relatively neglected. Based on our previous work, this paper presents an expanded lifecycle process model for the development of Web-based applications in SMEs. It consists of three sets of processes, i.e., requirement processes, development processes, and evolution processes. Particularly, the post-delivery evolution processes are important to SMEs to develop and maintain quality web applications with limited resources and time.
