Web服务漏洞检测工具的基准测试

2010 IEEE International Conference on Web Services Pub Date : 2010-07-05 DOI:10.1109/ICWS.2010.76

Nuno Antunes, M. Vieira

{"title":"Web服务漏洞检测工具的基准测试","authors":"Nuno Antunes, M. Vieira","doi":"10.1109/ICWS.2010.76","DOIUrl":null,"url":null,"abstract":"Vulnerability detection tools are frequently considered the silver-bullet for detecting vulnerabilities in web services. However, research shows that the effectiveness of most of those tools is very low and that using the wrong tool may lead to the deployment of services with undetected vulnerabilities. In this paper we propose a benchmarking approach to assess and compare the effectiveness of vulnerability detection tools in web services environments. This approach was used to define a concrete benchmark for SQL Injection vulnerability detection tools. This benchmark is demonstrated by a real example of benchmarking several widely used tools, including four penetration-testers, three static code analyzers, and one anomaly detector. Results show that the benchmark accurately portrays the effectiveness of vulnerability detection tools and suggest that the proposed approach can be applied in the field.","PeriodicalId":170573,"journal":{"name":"2010 IEEE International Conference on Web Services","volume":"7 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"75","resultStr":"{\"title\":\"Benchmarking Vulnerability Detection Tools for Web Services\",\"authors\":\"Nuno Antunes, M. Vieira\",\"doi\":\"10.1109/ICWS.2010.76\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Vulnerability detection tools are frequently considered the silver-bullet for detecting vulnerabilities in web services. However, research shows that the effectiveness of most of those tools is very low and that using the wrong tool may lead to the deployment of services with undetected vulnerabilities. In this paper we propose a benchmarking approach to assess and compare the effectiveness of vulnerability detection tools in web services environments. This approach was used to define a concrete benchmark for SQL Injection vulnerability detection tools. This benchmark is demonstrated by a real example of benchmarking several widely used tools, including four penetration-testers, three static code analyzers, and one anomaly detector. Results show that the benchmark accurately portrays the effectiveness of vulnerability detection tools and suggest that the proposed approach can be applied in the field.\",\"PeriodicalId\":170573,\"journal\":{\"name\":\"2010 IEEE International Conference on Web Services\",\"volume\":\"7 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2010-07-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"75\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2010 IEEE International Conference on Web Services\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICWS.2010.76\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 IEEE International Conference on Web Services","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICWS.2010.76","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 75

摘要

漏洞检测工具经常被认为是检测web服务中的漏洞的灵丹妙药。然而，研究表明，大多数这些工具的有效性非常低，并且使用错误的工具可能导致部署具有未检测到漏洞的服务。在本文中，我们提出了一种基准测试方法来评估和比较web服务环境中漏洞检测工具的有效性。该方法用于定义SQL注入漏洞检测工具的具体基准。通过对几个广泛使用的工具(包括四个渗透测试器、三个静态代码分析器和一个异常检测器)进行基准测试的真实示例演示了该基准测试。结果表明，该基准准确地描述了漏洞检测工具的有效性，表明该方法可以应用于该领域。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Benchmarking Vulnerability Detection Tools for Web Services

Vulnerability detection tools are frequently considered the silver-bullet for detecting vulnerabilities in web services. However, research shows that the effectiveness of most of those tools is very low and that using the wrong tool may lead to the deployment of services with undetected vulnerabilities. In this paper we propose a benchmarking approach to assess and compare the effectiveness of vulnerability detection tools in web services environments. This approach was used to define a concrete benchmark for SQL Injection vulnerability detection tools. This benchmark is demonstrated by a real example of benchmarking several widely used tools, including four penetration-testers, three static code analyzers, and one anomaly detector. Results show that the benchmark accurately portrays the effectiveness of vulnerability detection tools and suggest that the proposed approach can be applied in the field.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2010 IEEE International Conference on Web Services

自引率

0.00%

发文量

期刊最新文献

Everett: Providing Branch-Isolation for a Data Evolution Service Message Correlation and Web Service Protocol Mining from Inaccurate Logs QoS Aware Semantic Web Service Composition Approach Considering Pre/Postconditions Benchmarking Vulnerability Detection Tools for Web Services Service Selection Based on Customer Rating of Quality of Service Attributes