Automating web application security assessment using Python

Abstract

Methods for evaluating the effectiveness of web application security scanners are often constrained by subjectivity and the lack of unified quantitative criteria, complicating the comparison of their performance. This paper proposes an automated model for assessing web application security based on a Ground Truth dataset of vulnerabilities and the calculation of standardized metrics, such as Precision, Recall, Accuracy, and F1-score. The proposed model is implemented using advanced Python tools. Specifically, popular vulnerability scanners such as Wapiti, OWASP ZAP, and SQLMap are integrated to automate vulnerability data collection. Processing and classification of the obtained results (TP, FP, FN, TN) are performed using pandas and scikit-learn libraries, facilitating effective quantitative data analysis. Visualization of metrics and research results is provided by the matplotlib library. The proposed architecture offers significant advantages, including reduced subjectivity in evaluating scanner effectiveness, standardization of the comparison process, and flexibility in system expansion through the addition of new scanners via a unified programming interface. The implemented model enhances scalability and reproducibility of experiments, crucial for centralized information security management in large multi-scanner platforms. Experimental analysis demonstrates the practical efficacy of the proposed solution: the model transparently identifies both strengths and weaknesses of individual scanners, providing comprehensive information for informed decision-making in the field of information security. Future directions include expanding the range of metrics (notably ROC curves), integrating additional scanners, and developing comprehensive ensemble models based on machine learning.

Keywords: cybersecurity; Python; web applications; vulnerabilities; automation; security assessment; vulnerability scanners; accuracy metrics; information security.