Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) Tools in a Large Java-based System (2312.17726v1)

Published 29 Dec 2023 in cs.CR and cs.SE

Abstract: Security resources are scarce, and practitioners need guidance in the effective and efficient usage of techniques and tools available in the cybersecurity industry. Two emerging tool types, Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP), have not been thoroughly evaluated against well-established counterparts such as Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). The goal of this research is to aid practitioners in making informed choices about the use of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools through an analysis of their effectiveness and efficiency in comparison with different vulnerability detection and prevention techniques and tools. We apply IAST and RASP on OpenMRS, an open-source Java-based online application. We compare the efficiency and effectiveness of IAST and RASP with techniques applied on OpenMRS in prior work. We measure efficiency and effectiveness in terms of the number and type of vulnerabilities detected and prevented per hour. Our study shows IAST performed relatively well compared to other techniques, performing second-best in both efficiency and effectiveness. IAST detected eight Top-10 OWASP security risks compared to nine by SMPT and seven for EMPT, DAST, and SAST. IAST found more vulnerabilities than SMPT. The efficiency of IAST (2.14 VpH) is second to only EMPT (2.22 VpH). These findings imply that our study benefited from using IAST when conducting black-box security testing. In the context of a large, enterprise-scale web application such as OpenMRS, RASP does not replace vulnerability detection, while IAST is a powerful tool that complements other techniques.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (19)
  1. doi:10.1109/ICSGEA.2019.00131.
  2. doi:10.1109/CINTI.2016.7846383.
  3. doi:10.1109/PRDC.2009.54.
  4. doi:10.32604/cmc.2020.010885.
  5. doi:10.1109/ISSRE.2013.6698898.
  6. doi:10.1109/PRDC.2007.55.
  7. doi:10.1007/978-3-642-14215-4_7.
  8. doi:10.1002/spe.2870.
  9. doi:10.1109/ACCESS.2023.3315595.
  10. doi:10.1145/3584714.3584723. URL https://doi.org/10.1145/3584714.3584723
  11. doi:10.1109/ICOIACT50329.2020.9332116.
  12. doi:10.22152/programming-journal.org/2022/6/1. URL https://doi.org/10.22152\%2Fprogramming-journal.org\%2F2022\%2F6\%2F1
  13. doi:10.1145/988672.988679. URL https://doi.org/10.1145/988672.988679
  14. doi:10.1145/2465478.2465479. URL https://doi.org/10.1145/2465478.2465479
  15. doi:10.1145/2593929.2593945. URL https://doi.org/10.1145/2593929.2593945
  16. MITRE, Cwe common weakness enumeration (website) (2022). URL https://cwe.mitre.org/
  17. doi:10.1109/Agile.2015.12.
  18. doi:10.48550/ARXIV.1808.09700. URL https://arxiv.org/abs/1808.09700
  19. doi:https://doi.org/10.6028/NIST.SP.500-326.
Citations (3)

Summary

We haven't generated a summary for this paper yet.

Youtube Logo Streamline Icon: https://streamlinehq.com