The article by Marco Vieira and Nuno Antunes explain that web services in the current decade are prone to malicious attacks given their faulty software security system. Additionally, the invention of automated tools has guaranteed effective penetration testing and protection ensuring that such faults are avoided (Antunes and Vieira 2014). Despite these developments, new analysis proves that the tools are also failing in performance.
The Web services are considered to be strategic vehicles guaranteeing data exchange, distribution, among other critical accepted service-oriented architecture (SOA's). Antunes and Vieira explain that improper coding, in conjunction with exposure makes it relatively easy to exploit and uncover security vulnerabilities (Antunes and Vieira 2014). The vicious hacking technique SQL command injection allows hackers to execute commands in order to modify, read, and destroy important resources and information corrupting databases that open the applications into danger.
Maximum security and vulnerability application issues must be considered throughout the software development processes. Applying best practice implementations and design stages and mechanics of removing and detecting possible attacks guarantee maximum security. The authors explore the black-box approach in testing and revealing vulnerabilities. The application of automated tools is a considerable process that saves money and time. However, their success determined by how well they are able to detect and protect the application from vulnerable attacks in addition to avoiding false positive alarms.
The article combines an analysis of diverse automated penetration tools. However, Antunes and Vieira still confirm that these tools are far from achieving impressiveness in Web services and security testing (Antunes and Vieira 2014). The article explains that practitioners and researchers are active in identifying new techniques enhancing the improvement of detecting and preventing web attacks in the future.
The article combines an analysis of diverse automated penetration tools. However, Antunes and Vieira still confirm that these tools are far from achieving impressiveness in Web services and security testing (Antunes and Vieira 2014). The article explains that practitioners and researchers are active in identifying new techniques enhancing the improvement of detecting and preventing web attacks in the future.
The article explains the two techniques to detect vulnerabilities including the black box and the white box. White box testing is efficient in detecting internal threats and vulnerabilities including walkthroughs, inspection, and reviews, among others. Security inspections are considered ineffective as manual labor is time-consuming and expensive. Using automated white-box tools allow coders to identify their fault levels easily, hence reducing costs and time of the inspection procedures. The black-box testing technique analyzes the external programs and uses inputs to execute commands to achieve the expected software results. The authors also analyze the gray-box testing, explaining it to take diverse dynamics depending on the behavioral factors of the potential faults and vulnerabilities.
The black box penetration testing method is commonly considered for its simplicity and effectiveness in detecting vulnerabilities. The black-box method requires no knowledge to execute commands and tests for vulnerabilities. Given that tests and vulnerabilities can reach thousands for a single fault, the penetration technique is considered for it can be carried out repetitively in a cost-efficient manner. The article provides examples of Web vulnerability scanners that are free including WSDigger and WSFuzzer that are simply automated to detect and test attacks and vulnerabilities. Antunes and Vieira explain it’s only limiting factor as lack of identifying the internal behavior of the application (Antunes and Vieira 2014). The article gives an instance when web security scanners failed to detect specific adaptations of vulnerabilities. Antunes and Vieira agree that understudying these tools and their effectiveness is the only way to reduce vulnerability attacks.
For the study, Vieira and Antunes tested 25 Web services with over 101 operations to evaluate the advantages of penetration testing (Antunes and Vieira 2014). Four scanners were utilized in detecting the vulnerabilities including the IBM Rational AppScan, Acunetix Web Vulnerability, and HP WebInspect. The TPC App effectively benchmarks the Web service transactional systems, infrastructure, and e-commerce to guarantee that they are safe from risks and vulnerabilities. The authors agree that performing complete evaluations require individuals to have an awareness on the existing and potential vulnerabilities tested. After the analysis, the team identified 201 SQL injection threats and vulnerabilities that needed security attention. The information proves the effectiveness of using scanners in identifying false-positives and determining current and potential vulnerabilities. Scanners are also fitted with tools to detect, test, and report malware.
The overall results of their study proved that each tool reported different forms of outputs and vulnerabilities. All the four tools identified the SQL injection malware and vulnerabilities. However, only two reported the XPath injections vulnerabilities. False positive analysis are also articulated in the study as they emerged to have a high percentage, whereas much of the vulnerabilities do not exist. This makes software developers waste much time over undetected and ineffective vulnerabilities. Scanners have proved effective in reporting larger number of these non-existent vulnerabilities. The lesson learned section explains that penetration testing is effective, but could however been inefficient in testing internal vulnerabilities.
The study concludes that the automated tools are effective but have two limitations. Firstly, they have high numbers of false-positive alerts. Secondly, they are only limited to external vulnerabilities, hence meaning that malware may remain undetected even after using scanners. In the overall, the black-box technique is limited to internal behavior. Vieira and Antunes argue that improving the test quality of the scanners require representatives to accurately carry out extensive real-world executions to determine high code coverages (Antunes and Vieira 2014). Existing XML schemas provide little information for the development teams. However, Laranjeiro recently proposed the EDEL (extended domain expression language) as the strategy to allow the specification and maximization of vulnerability detection. The article explains that maximizing vulnerability detections require multiple tests to ensure that all undetected vulnerabilities and false alarms are eliminated using a single response. The article proposes Acunetix WVS tools for their effectiveness in using two different techniques to achieve a greater intrusive degree to access the internal and external behaviors of vulnerabilities during the penetration testing process. It is important to understand that most vulnerabilities manifest themselves between the system component and the Web service. Despite the current limitations of penetration testing, the tools continue to play significant impacts in the provision of security in Web services. However, new techniques and penetration tools must be introduced to increase efficiency of detection the vulnerabilities. They should also be based on consistent and standardized procedures, whereby they implement testing components enhancing maximum detection of vulnerabilities and minimization of false positive alarms. Finally, the article explains that security concerns are critical throughout the entire process of software development. Consequently, coders should apply excellent security practices, tools, and approaches at their disposal to guarantee maximum protection against potential security threats as well as innovating and improving the current security assessment techniques.
– Important conclusions of authors.
Vieira and Antunes's article conclude by exploring the current state of Web security services, explaining that despite the limitations offered by the tools, corporations and organization must utilize them to protect themselves against malware vulnerabilities (Antunes and Vieira 2014) (Antunes and Vieira 2014). However, the authors insist that new advanced tools must be incorporated into the organization to provide integrated support to detect maximum numbers of vulnerabilities and avoid false positives. The article concludes by explaining that the developers must always consider the security concerns of the organization during the entire process of software development.
Authors propose increased visibility of malware and vulnerabilities using anomaly detection and attack signature monitoring tools as a means to detect any deviations from normal. The technique detects and determined irregular behavior during the initial phase. In the subsequent phase, attack load requests are submitted to unveil the vulnerabilities. Multiple security practices are considered for their effectiveness in reducing diverse attacks and potential security vulnerabilities. The developers must also guarantee continuous innovation and improvement of security assessment techniques at their disposal to unveil current and potential vulnerabilities. Antunes and Vieira advice on the advantages of maximizing the effectiveness of attack and vulnerability detection since if left undetected may result in great loss. currently, advanced vulnerability detection tools including Acunetix WVS already incorporate multiple request techniques (Antunes and Vieira 2014). The tools prove promising, though very far from achieving satisfactory in the protection of Web services. Yes
– Do you agree? Argument why
I agree with Antunes and Vieira's conclusion on limitations of vulnerability scanners in the current decade, given their failure to detect all malware and likelihood to raise increased false security alarms (Antunes and Vieira 2014). Significant numbers of malware remain undetected given the disability of most penetration tools inability to test the internal and external vulnerabilities. The black-box technique found to be the most effective is limited in that it cannot access and text the internal behavior of applications. Tools prove to have inadequate code coverage to detect multiple paths used for penetration by any vulnerabilities.
I agree that innovative approaches are critical to overcoming the present limitations of penetration tools in the current decade. The innovations must target maximizing abilities of penetration testing tools to interpret both the internal and external behavior of malware and vulnerability attacks. High code executions and coverage must be initiated and incorporated in the interfaces to accurately protect the domains associated with the Webservices. The proposed extended domain expression language is useful for its ability to discover maximum possibilities of vulnerabilities and avoidance of false positive alarms.
-ICT fields involved.
The three fields within computer science involved in this case include;
1. Coding- Encryption
Encryption guarantees that all data is kept secret and protected from unauthorized access. During data transmission or editing, only the authorized individuals can unlock the text using the secret key. Without data encryption, all information is widely open to the world, hence prone to malware and vulnerability attacks (Antunes and Vieira 2014). Field experts require individuals to create strong passwords and use web security penetration tools to detect any form of attack or intrusion.
2. Software Engineering
Malware and vulnerability attacks are the major causes of software failure in the current decade. High-risk attacks may even crash the entire computer. Software engineering entails the process of software development, ensuring that the end product impacts the user positively without failure. software engineering is trained to test and analyze the software, ensuring that they avoid limitations attracting malware attacks.
– Non-ICT fields involved.
The non-ICT fields involved in the case is the Copyright. It is a legal term defining and describing the authentication rights of creators of computer databases and programs. Copyrights and patents grant the intellectual property owners the right to sell, change, and distribute the data. unauthorized access is prohibited and also against the law. Currently, many attacks and vulnerabilities target the copyright and patent properties with the intention of deforming or stealing data. Penetration tools are therefore considered effective as they block attacks from unauthorized access.
– Ethical/societal issues involved.
All ICT professionals handling confidential data are required to maintain high ethical and moral standards. Training on ICT ethical issues is mandated to specialists to guarantee maximum protection and security in a corporation. Much of the ICT ethical issues are related to the privacy of data. All individuals handing data are required to be trustworthy. This includes voiding snooping and tracking other employee's emails, accessing unauthorized websites, and guaranteeing that all passwords remain strong and secretive. Invading other's privacy, breaching documents, abuse, and frauds, among other unintentional security faults by employees or workers in an organization is considered unethical.
Consequence-based ethical issues related to ICT guarantee that all professionals undertake actions with desirable outcomes. Ultimate standards must be maintained, including making moral decisions concerning all issues arising. Additionally, individuals must ensure that the policies formulated to benefit the majority; rather than the minority of users. The character-based theory argues that individuals must maintain appropriate morals and virtues while working in the ICT corporation. excellence in the field is attained through good moral character and discipline. Lastly, duty-based ethics guarantee that all approaches by the person, including the execution of all ICT roles and responsibilities, are conducted accordingly.
Reference
Antunes, N. and Vieira, M., 2014. Penetration testing for web services. Computer, 47(2), pp.30-36.