Assuring Quality in Vulnerability Reports for Security Risk Analysis

Subramanian, Deepak; Thanh, Le Ha; Keong Loh, Peter Kok

Home // International Journal On Advances in Security, volume 2, numbers 2 and 3, 2009 // View article

Assuring Quality in Vulnerability Reports for Security Risk Analysis

Authors:
Deepak Subramanian
Le Ha Thanh
Peter Kok Keong Loh

Keywords: Fuzzy classifiers, confidence level, calibration, scanner, vulnerability, web application

Abstract:
Web application scanners detect and provide some diagnoses for specific vulnerabilities. However, scanner performance as well as the damage potential of different vulnerabilities varies. This undermines the development of effective remediation solutions and the reliable sharing of vulnerability information. This paper describes the development of fuzzy classification metrics that are used to grade web application scanners and vulnerabilities so that scanner performance can be evaluated and confidence levels can be computed for vulnerability reports. These metrics help derive a level of assurance that will support security management decisions as well as enhance effective remediation efforts.

Pages: 226 to 241

Publication date: December 1, 2009

Published in: journal

ISSN: 1942-2636