Quantitative WEB Application Vulnerability Assessment using SAST Methodology
DOI:
https://doi.org/10.47839/ijc.24.1.3888Keywords:
SAST, web application vulnerabilities, CVSS v.3.1, general application vulnerability score, cybersecurityAbstract
This paper presents a study on Static Application Security Testing (SAST) with a focus on the Snyk Code tool. SAST enables early detection and remediation of security vulnerabilities during software development, improving overall system security. The research introduces the General Application Vulnerability Rate (GAVR) model, which quantifies vulnerability risks based on the CVSS 3.1 framework. A case study using Snyk Code demonstrates the identification and assessment of security flaws, such as XSS and certificate validation issues. The study highlights the need for an integrated approach to security testing, emphasizing automation and structured vulnerability assessment to enhance software security.
The GAVR model enhances traditional security evaluations by incorporating exploitability probabilities, offering a more dynamic risk assessment. The findings suggest that integrating SAST within the software development lifecycle significantly reduces security risks and improves remediation efficiency. By leveraging automation and systematic vulnerability quantification, this study underscores the importance of proactive security strategies to safeguard web applications against evolving threats.
References
A. S. Gillis, "What is the software development lifecycle (SDLC)? A definition from WhatIs.com," Search Software Quality. [Online]. Available: https://www.techtarget.com/searchsoftwarequality/definition/software-development-life-cycle-SDLC.
Verizon Business, "2024 Data Breach Investigations Report," 2024. [Online]. Available at: https://www.verizon.com/business/resources/reports/dbir/.
C. Harris, "50 Web Security Stats You Should Know In 2025," Expert Insights, Jan. 10, 2024. [Online]. Available at: https://expertinsights.com/insights/50-web-security-stats-you-should-know/.
E. Moyle, "5 ways to automate security testing in DevSecOps | TechTarget," Search Security. [Online]. Available: https://www.techtarget.com/searchsecurity/tip/5-ways-to-automate-security-testing-in-DevSecOps.
K. Brush, "What is static application security testing (SAST)? Definition from WhatIs.com," Search Software Quality. [Online]. Available: https://www.techtarget.com/searchsoftwarequality/definition/static-application-security-testing-SAST. [Accessed: Mar. 27, 2025].
F. T. Alssir and M. Ahmed, "Web security testing approaches: comparison framework," in Proc. 2nd Int. Cong. Comput. Applications Computational Science, Springer, 2012, pp. 225–238. https://doi.org/10.1007/978-3-642-28314-7_23.
A. Horváth, P. M. Erdősi, and F. Kiss, "The Common Vulnerability Scoring System (CVSS) generations – usefulness and deficiencies," in IT és hálózati sérülékenységek társadalmi-gazdasági hatásai, F. Kiss and A. Horváth, Eds., Infota, 2016, pp. 137–153.
S. A. Vaddadi, R. Thatikonda, A. Padthe, and P. R. R. Arnepalli, "Shift-left testing paradigm process implementation for quality of software based on fuzzy," Soft Computing, Art. no. 87, 2023. https://doi.org/10.1007/s00500-023-08741-5.
Synopsys, "2023 Gartner Magic Quadrant for Application Security Testing," [Online]. Available at: https://www.synopsys.com/software-integrity/resources/analyst-reports/gartner-magic-quadrant-appsec.html.
O. Trofymenko, A. Dyka, and Y. Loboda, "Analysis of web application testing tools," Cybersecurity: Education, Science, Technique, vol. 4, no. 20, pp. 62–71, 2023. https://doi.org/10.28925/2663-4023.2023.20.6271.
V. Susukailo, "Using the devsecops approach to analyze current information security threats," Cybersecurity: Education, Science, Technology, vol. 2, no. 14, pp. 26–35, 2021.
F. A. Alaba, M. Othman, I. A. T. Hashem, and F. Alotaibi, "Internet of Things security: A survey," J. Network Comput. Appl., vol. 88, pp. 10–28, 2017. https://doi.org/10.1016/j.jnca.2017.04.002.
A. O. Gapon, V. M. Fedorchenko, and O. V. Sievierinov, "Methods and means of static and dynamic code analysis," Radiotekhnika, vol. 212, pp. 7–13, 2023. https://doi.org/10.30837/rt.2023.1.212.01.
Q. Yas, A. Alazzawi, and B. Rahmatullah, "A Comprehensive Review of Software Development Life Cycle methodologies: Pros, Cons, and Future Directions," Iraqi J. Comput. Sci. Math., pp. 173–190, 2023. https://doi.org/10.52866/ijcsm.2023.04.04.014.
H. S. Lisda, M. Y. R. Madhika, and E. Bayunanda, "Systematic literature review SDLC in software engineering," Int. J. Comput. Inf. Technol., vol. 12, no. 1, 2023.
H. D. Jayawardana, M. I. Uyanahewa, V. Hapugala, and T. Thilakarathne, "An analysis of XSS vulnerabilities and prevention of XSS attacks in web applications," Int. J. Comput. Appl., vol. 182, no. 20, pp. 1–8, 2023.
K. Wang, Y. Zheng, Q. Zhang, G. Bai, M. Qin, D. Zhang, and J. S. Dong, "Assessing certificate validation user interfaces of WPA supplicants," in Proc. ACM MobiCom '22: 28th Annu. Int. Conf. Mobile Comput. Networking, 2022. https://doi.org/10.1145/3495243.3517026.
M. Luo, B. Feng, L. Lu, and K. Ren, "On the complexity of the Web's PKI: Evaluating certificate validation of mobile browsers," IEEE Trans. Dependable Secure Comput., vol. 20, no. 1, pp. 1–14, 2023. https://doi.org/10.1109/TDSC.2023.3255869.
H. Howland, "CVSS: Ubiquitous and Broken," Digital Threats: Res. Pract., 2021. https://doi.org/10.1145/3491263.
M. Walkowski, M. Krakowiak, M. Jaroszewski, J. Oko, and S. Sujecki, "Automatic CVSS-based vulnerability prioritization and response with context information," in 2021 Int. Conf. Soft., Telecommun. Comput. Networks (SoftCOM), 2021. https://doi.org/10.23919/SoftCOM52868.2021.9559094.
J. Franklin, C. Wergin, and H. Booth, "CVSS implementation guidance," National Institute of Standards and Technology, 2014. https://doi.org/10.6028/NIST.IR.7946.
A. Balsam, M. Nowak, M. Walkowski, J. Oko, and S. Sujecki, "Analysis of CVSS vulnerability base scores in the context of exploits’ availability," in Proceedings of the 2023 23rd Int. Conf. Transparent Optical Networks (ICTON), 2023. https://doi.org/10.1109/ICTON59386.2023.10207394.
K. Kuszczyński and M. Walkowski, "Comparative analysis of open-source tools for conducting static code analysis," Sensors, vol. 23, no. 18, Art. no. 7978, 2023. https://doi.org/10.3390/s23187978.
A. War, A. Habib, A. Diallo, J. Klein, and T. F. Bissyandé, "Security vulnerabilities in Infrastructure as Code: What, how many, and who?" Res. Square, 2023. https://doi.org/10.21203/rs.3.rs-3600645/v1.
A. G. Korchenko, B. B. Akhmetov, S. V. Kazmirchuk, and E. A. Chasnovskyi, "Information security risk assessment system – ‘RISK-CALCULATOR’," Ukrainian Sci. J. Inf. Sec., vol. 23, no. 2, 2017. https://doi.org/10.18372/2225-5036.23.11824.
P. Maslianko and I. Savchuk, "DevOps – concept and structural representation," KPI Sci. News, no. 4, pp. 39–51, 2022. https://doi.org/10.20535/kpisn.2021.4.261938.
Downloads
Published
How to Cite
Issue
Section
License
International Journal of Computing is an open access journal. Authors who publish with this journal agree to the following terms:• Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
• Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
• Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
