An Integrated Tool to Detect Vulnerabilities in Service-Based Infrastructures

Abstract

A Service-based infrastructure is a composition of software pieces that provides functionalities that supports organizational large operations. Although they can be composed by any kind of services, web services are often the preferred technology used, due to their characteristics. This kind of infrastructures can be frequently found in online stores, educational and banking systems, making the web services used businesscritical components. However, studies show that many of these services are deployed disregarding security concerns, which results in a huge amount of vulnerable web services in production. The cost of manual code inspection and lack of security expertise of programmers brought the need to use automatic vulnerability scanning tools, yet studies and reports show that the effectiveness of these scanners is insufficient. In fact, experiments from previous work show that existing scanners present a low detection rate and a high number of false positives. To address this problem we need new and improved tools. This works presents a new integrated tool implemented in a modular fashion where the components of vulnerability scanning techniques can be easily integrated without the need of implement new tools for each new technique. With this tool it is possible not only to implement the known techniques but it also enables the evolvement of the same. Among with this tool were built the necessary modules to complete three different techniques. A benchmark was applied to the tool and the results show viability of the modular approach of the integrated tool.