Date of Publication

6-20-2022

Document Type

Master's Thesis

Degree Name

Master of Information Technology

Subject Categories

Computer Sciences

College

College of Computer Studies

Department/Unit

Information Technology

Thesis Advisor

Michelle Renee D. Ching

Defense Panel Chair

Danny C. Cheng

Defense Panel Member

Alain L. Encarnacion
Lissa Andrea K. Magpantay

Abstract/Summary

As most organizations already rely on digitalization regardless of the purpose, web applications are indeed one of the digital components to reach their target audience. Due to this nature, Web Apps needed to be deployed on the public internet. Efficiency as it is, the risk of them being compromised is very high, that is why it is imperative to have this undergo security checks before deploying.

Security testing during the early years was very costly as this was mostly done manually by professionals. Later on, vulnerability scanners were developed to lessen the workload of the testers. However, effective and easy-to-use vulnerability scanners are expensive while open-source scanners are very complex to use.

Now, there were improvements seen in open-source scanners, they started to have Graphical User Interfaces (GUI), do automated scanning, and generate comprehensive reports which are the commercial Web Application Vulnerability Scanners’ (WAVS) selling points. Yet, there were no studies that compared the performance gap of these scanners.

Thus, this research aimed to compare the accuracy and reporting capabilities of 2 commercial and 2 open-source WAVS. The evaluation was done thru Acunetix Acuart and OWASP Benchmark for accuracy and WIVET for its crawling URLs.

The results implied that open-source vulnerability scanners are already competitive enough to match the detection capabilities of commercial ones as well as the visualization of their reports. On the other hand, we also discovered incompatibility of commercial WAVS on the OWASP benchmark which caused an absence of data for comparison. Lastly, it was noted that all WAVS were not able to crawl and detect all test cases by the benchmarking tools. Therefore, scanners still cannot be fully replaced the practice of penetration testing and human validation.

Abstract Format

html

Note

Capstone project paper

Language

English

Format

Electronic

Physical Description

[85 leaves]

Keywords

Scanning systems; Web applications

Upload Full Text

wf_yes

Embargo Period

12-16-2022

Share

COinS