Home // ADAPTIVE 2022, The Fourteenth International Conference on Adaptive and Self-Adaptive Systems and Applications // View article

Context-Aware Security Intelligence of Vulnerability Scanners in Cloud-native Environments

Authors:
Simon Ammer
Jens Krösche
Markus Gierlinger
Mario Kahlhofer

Keywords: cloud computing; web application security; distributed systems security; context-awareness; rule-based adaptation.

Abstract:
Even as black-box web vulnerability scanners help identify security vulnerabilities of web applications, they still have problems with false alarms, as they lack insight into the context of applications. Without this supplemental information like the topology of the underlying application or the runtime, scanners cannot precisely assess a threat’s actual severity, leading to false alarms and a challenge for security experts to prioritize vulnerabilities. Especially with the increasing popularity of microservices and highly dynamic cloud environments, this prioritization task becomes more difficult due to this environment. This paper bridges this gap by enriching web vulnerability scanner reports with context information to understand security threats better and reduce false positives. To this end, we developed a rule-based system that is extensible for multiple use cases, and we propose a framework to evaluate the approach’s effectiveness using the insecure web applications Unguard and Open Web Application Security Project (OWASP) JuiceShop.

Pages: 10 to 13

Copyright: Copyright (c) IARIA, 2022

Publication date: April 24, 2022

Published in: conference

ISSN: 2308-4146

ISBN: 978-1-61208-951-5

Location: Barcelona, Spain

Dates: from April 24, 2022 to April 28, 2022