Improving the Adoption of Dynamic Web Security Vulnerability Scanners

Security vulnerabilities remain present in many web applications despite the improving knowledge base on vulnerabilities. Attackers can exploit such security vulnerabilities to extract critical data from web applications and their users. Many dynamic security vulnerability scanners exist that try to automatically find such security vulnerabilities. We studied the adoption of these tools and found out they are rarely used by web developers during the development process of a web application. Through interviews, we investigated the main cause of the lack of adoption is the difficulty to use such tools. In order to improve the adoption of dynamic security vulnerability scanners, we introduce the Universal Penetration Testing Robot (UPeTeR). UPeTeR is a class library that allows web developers to easily set relevant data for many dynamic vulnerability scanners by providing them with an abstraction of required configuration data. Plugins, ideally created by experts of the scanners, transform this abstraction into an optimal setup of such scanners. A prototype has been created which was used to validate UPeTeR’s acceptance by web developers at the Software Improvement Group, a software consultancy company in the Netherlands. The acceptance experiment demonstrated that web developers are willing to try out and work with UPeTeR.