Context-Aware Security Intelligence of Vulnerability Scanners in Cloud-native Environments

Even as black-box web vulnerability scanners help identify security vulnerabilities of web applications, they still have problems with false alarms, as they lack insight into the context of applications. Without this supplemental information like the topology of the underlying application or the runtime, scanners cannot precisely assess a threat’s actual severity, leading to false alarms and a challenge for security experts to prioritize vulnerabilities. Especially with the increasing popularity of microservices and highly dynamic cloud environments, this prioritization task becomes more difficult due to this environment. This paper bridges this gap by enriching web vulnerability scanner reports with context information to understand security threats better and reduce false positives. To this end, we developed a rule-based system that is extensible for multiple use cases, and we propose a framework to evaluate the approach’s effectiveness using the insecure web applications Unguard and Open Web Application Security Project (OWASP) JuiceShop.