Abstract

Security practitioners face the challenge of optimizing scarce resources while effectively detecting and preventing software vulnerabilities. This study evaluates the utility of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools compared to traditional approaches like Static and Dynamic Application Security Testing (SAST and DAST), Static and Exploratory Manual Penetration Testing (SMPT and EMPT), particularly in the context of a large open source software system. Using OpenMRS, an open-source Java-based medical records application, we analyze the efficiency and effectiveness of these tools based on vulnerabilities detected and prevented per hour. Our findings reveal that IAST ranks second in efficiency (2.14 vulnerabilities per hour) and effectiveness, detecting 91 unique vulnerabilities not identified by other techniques and addressing eight OWASP Top-Ten risks.

About the Speaker

Dr. Saikath Bhattacharya is an Assistant Professor in Computer Science and Software Engineering at the Milwaukee School of Engineering. He previously served as a Postdoctoral Researcher at the NSA Science of Security Lablet at NC State University. He earned his Ph.D. in Electrical and Computer Engineering from UMass Dartmouth in 2021. His research focuses on secure systems, software security, and software reliability, with interests in reliability analysis and prognostics and health management. He has authored multiple peer-reviewed publications, including in the Communications of the ACM and Empirical Software Engineering journals.