A simple new scan tool has exposed some glaring weaknesses in commonly used web cybersecurity programs. The tool also demonstrates that these weaknesses can be strengthened.
Websites and web applications have become a key target for cybercriminals in recent years. As such, there are a growing number of commercial scanners available, designed to detect vulnerabilities in the architecture of websites.
“We have identified that most publicly available scanners have weaknesses and are not doing the job they should,” says Dr Yousef Amer, a mechanical and systems engineer at the University of South Australia, and fellow of the international team of researchers who built the new tool.
Researchers evaluated 11 publicly available web scanners against OWASP’s Top Ten: The 10 most critical cybersecurity risks for web applications, according to the nonprofit Open Web Application Security Project.
First published in 2017 and updated last year, the OWASP Top 10 represents a broad consensus of cybersecurity experts on top website vulnerabilities.
“These vulnerabilities change, but it doesn’t happen frequently,” Amer says. He says “things are pretty much the same” in the 2017 and 2021 rosters.
“We found that no scanner is able to counter all of these vulnerabilities,” says Amer.
Read more: Like catching smoke: can we stop a cybersecurity war?
The researchers developed a prototype tool that would have counter all these vulnerabilities. The tool is described in a paper presented at the 2022 International Conference on Artificial Intelligence.
“Our prototype tool addresses all of these challenges. It’s basically a one-stop guide to keep the website 100% secure,” says Amer.
The prototype is a “black box” security assessment tool: a program that finds vulnerabilities in a website by attempting to break in from the outside.
“It is possible to upgrade if a new version [of the list] is introduced,” says Amer.
The researchers are now looking to commercialize their tool.
“It would be similar to web scanners, but with more efficient automated crawling, scanning, and reporting,” says Amer.
Read science facts, not fiction…
There has never been a more important time to explain facts, cherish evidence-based knowledge, and showcase the latest scientific, technological and technical breakthroughs. Cosmos is published by the Royal Institution of Australia, a charity dedicated to connecting people with the world of science. Financial contributions, large or small, help us provide access to reliable scientific information at a time when the world needs it most. Please support us by donating or purchasing a subscription today.