Security Assessment Based on OWASP Top 10 Using SonarQube and ZAP on Export and Import Applications in the LNSW

Muhammad Wisnu; Benfano Soewito

doi:10.29407/intensif.v10i1.25294

Authors

Muhammad Wisnu Universitas Bina Nusantara https://orcid.org/0009-0006-5040-7660
Benfano Soewito Universitas Bina Nusantara https://orcid.org/0000-0002-3284-5433

DOI:

https://doi.org/10.29407/intensif.v10i1.25294

Keywords:

OWASP, ZAP , Cyber Security, SonarQube , SAST, Vulnerability Assessment

Abstract

Background: The advancement of information and electronic systems has significantly transformed export and import processes. In Indonesia, the Lembaga National Single Window (LNSW) plays a pivotal role in facilitating international trade by integrating procedures and information related to exports, imports, and document flows. Objective: This study aims to assess the security of LNSW’s export and import application by identifying vulnerabilities based on the Open Web Application Security Project (OWASP) Top 10 framework. It also compares the effectiveness of Static Application Security Testing (SAST) using SonarQube and Dynamic Application Security Testing (DAST) using ZAP (Zed Attack Proxy) in detecting various types of vulnerabilities. Methods: The analysis involved the use of SonarQube for source code scanning and ZAP for runtime testing. Each detected vulnerability was evaluated using the Common Vulnerability Scoring System (CVSS) to determine its severity level. Recommended mitigation strategies were provided accordingly. Results: A total of eight vulnerabilities were identified, comprising two High-severity and six Medium-severity issues. SonarQube proved more effective in detecting Identification and Authentication Failures (three instances), while ZAP excelled in identifying Vulnerable and Outdated Components (two instances). Notably, each tool uncovered four unique types of vulnerabilities that the other did not detect. Conclusion: These findings highlight the practical benefits of combining SAST and DAST techniques. By integrating both approaches, organizations can achieve a more comprehensive and reliable security assessment, ultimately leading to more resilient software systems.

Downloads

Download data is not yet available.

Abstract views: 0 , PDF downloads: 1

References

[1] Badan Siber dan Sandi Negara, “Lanskap Keamanan Siber Indonesia Tahun 2022,” in Laporan Hasil Monitoring. Jakarta , Indonesia 2022.

[2] MOHD. Yusuf, Suryadi, Robi Hamid, “Analisis Kejahatan Hacking Sebagai Bentuk Cyber Crime Dalam Sistem Hukum yang berlaku di Indonesia,” JPDK, vol. 4, no. 6 2022 doi: doi.org/10.31004/jpdk.v4i6.8685.

[3] A. Fadlil, I. Riadi, & F. Fachri, “Mitigation Web Server for Cross-Site Scripting Attack Using Penetration Testing Method,” IIETA, vol. 12, no. 2, pp. 201-208, 2019, doi: 10.18280/ijsse.120208.

[4] A. Alanda, D. Satria, M. I. Ardhana, A. A. Dahlan, and H. A. Mooduto, “Web Application Penetration Testing Using SQL Injection Attack,” JOIV, vol. 5, no. 3, pp. 320-326 2, pp. 201-208, 2019, doi: 10.30630/joiv.5.3.470.

[5] S. A. Khan, N. Azim, A. Iqbal, H. Abbas, and S. Qureshi, “Securing Web Applications: A Practical Approach to Mitigating OWASP Top 10 Vulnerabilities,” VFAST vol. 13, no. 2, pp. 273–291, 2025, doi: 10.21015/vtse.v13i2.2145.

[6] Khanum, A., Qadir, S., & Jehan, S. A. Khanum, S. Qadir and S. Jehan, “OWASP-Based Assessment of Web Application Security,” Proc. 18th IEEE International Conference on Emerging Technologies (ICET), Peshawar, Pakistan, pp. 240–243, 2023, doi: 10.1109/ICET59753.2023.10374730.

[7] A. M. Irzan and E. Sulistiyani, “Owasp Zap vs Arachni: Which One is Better in Vulnerability Assessment?,” Proc. 9th International Conference on Informatics and Computing (ICIC), pp. 1–6, 2024, doi: 10.1109/ICIC64337.2024.10956935.

[8] M. Yunus, “Analisis Kerentanan Aplikasi Berbasis Web Menggunakan Kombinasi Security Tools Project Berdasarkan Framework OWASP,” JIIK, vol. 24, no. 1, pp. 37-48, 2019, doi: 10.35760/ik.2019.v24i1.1988.

[9] M. H. Asep, D. Rifansyah, and D. F. Priambodo, “Penetration Testing Web XYZ Berdasarkan OWASP Risk Rating,” Teknika, vol. 12, no. 1, pp. 33-46, 2023, doi: 10.34148/teknika.v12i1.571.

[10] G. Bennett, T. Hall, E. Winter, and S. Counsell, “Improving the Limited Performance of Static Application Security Testing (SAST) Tools,” EASE, pp. 614-623, 2024, doi: 10.1145/3661167.366126

[11] C. Aparo, C. Bernardeschi, G. Lettieri, F. Lucattini and S. Montanarella, “An Analysis System to Test Security of Software on Continuous Integration-Continuous Delivery Pipeline,” IEEE, pp. 58-67, 2023, doi: 10.1109/EuroSPW59978.2023.00012.

[12] A. Choiriyah and N. Qomariasih, “Security Analysis on Websites belonging to the Health Service Districts in Indonesia based on the Open Web Application Security Project (OWASP) Top 10 2021,” IEEE International Conference 2024, doi: doi.org/10.1109/ICITCOM60176.2023.10442816.

[13] Nurbojatmiko, A. Lathifah, F. Bil Amri and A. Rosidah, “Security Vulnerability Analysis of the Sharia Crowdfunding Website Using OWASP-ZAP,” IEEE International Conference, 2022, doi: doi.org/10.1109/CITSM56380.2022.9935837.

[14] M. Noman, M. Iqbal, and A. Manzoor, “A Survey on Detection and Prevention of Web Vulnerabilities,” International Journal of Advanced Computer Science and Applications, 2020, 11(6), doi:https://doi.org/10.14569/IJACSA.2020.0110665.

[15] M. Aydos, Ç. Aldan, E. Coşkun, and A. Soydan, “Security testing of web applications: A systematic mapping of the literature,” IIETA, vol. 34, no. 9, pp. 6775-6792, 2019, doi: doi.org/10.1016/j.jksuci.2021.09.018.

[16] M. A. A. Hilmi, A. Puspaningrum, Darsih, D. O. Siahaan, H. S. Samosir and A. S. Rahma, “Research Trends, Detection Methods, Practices, and Challenges in Code Smell:SLR”, IEEE Access, 11, 129536-129551, 2023, doi:doi.org/10.1109/ACCESS.2023.3334258.

[17] I. R. Onyenweaku, M. S. Brown, M. Pelosi, and M. H. Shahine, "A sonarqube static analysis of the spectral workbench," International Journal of Natural Science and Reviews, p. 16, 2021, doi: 10.28933/ijnsr-2020-12-0605.

[18] J.-A. del-Hoyo-Gabaldon, A. Moreno-Cediel, E. Garcia-Lopez, A. Garcia-Cabot, and D. de-Fitero-Dominguez, “Automatic dataset generation for automated program repair of bugs and vulnerabilities through SonarQube,” SoftwareX, Vol. 26, 2024, doi: doi.org/10.1016/j.softx.2024.101664.

[19] F. Lomio, S. Moreschini, and V. Lenarduzzi, “A machine and deep learning analysis among SonarQube rules, product, and process metrics for fault prediction,” ESE, vol. 27, no. 189, pp. 1-57, 2022, doi: 10.1007/s10664-022-10164-z.

[20] D. Murtaza, R. Haider and F. Khan,"Comprehensive Security Analysis and Threat Mitigation Strategies for React.js Applications: Leveraging SonarQube for Robust Security Assurance," IEEE 1st Karachi Section Humanitarian Technology Conference, Khi-HTC, 2024, doi: doi.org/10.1109/KHI-HTC60760.2024.10482157.

[21] D. Priyawati, S. Rokhmah, and I. C. Utomo, "Website Vulnerability Testing and Analysis of Internet Management Information System Using OWASP," In International Journal of Computer and Information System (IJCIS) Peer Reviewed-International Journal (Vol. 03, Issue 03), 2022, e-ISSN: 2745-9659.

[22] M. D. Fadilah and S. Rochimah, "Security Evaluation of Insurance Portal Agency Information System Based on ISO/IEC 25010 Quality Standard Utilizing OWASP ZAP," 3rd International Conference on Intelligent Cybernetics Technology and Applications, ICICyTA 2023, pp. 352–357, 2023, doi: 10.1109/ICICyTA60173.2023.10428701.

[23] S. Alazmi and D. C. de Leon, "Customizing OWASP ZAP: A Proven Method for Detecting SQL Injection Vulnerabilities," Proceedings - 2023 IEEE 9th International Conference on Big Data Security on Cloud, IEEE International Conference on High Performance and Smart Computing, and IEEE International Conference on Intelligent Data and Security, BigDataSecurity-HPSC-IDS 2023, pp. 102–106, 2023, doi: doi.org/10.1109/BigDataSecurity-HPSC-IDS58521.2023.00028.

[24] L. H. Riberu and A. W. R. Emanuel, "Vulnerability Testing and Analysis Using OWASP Top 10 on Academic Information System at University XYZ," ICAAEEI, 2024, doi: doi.org/10.1109/ICAAEEI63658.2024.10899162.

[25] R. Duraz, D. Espes, J. Francq, S. Vaton, "Using CVSS scores can make more informed and more adapted Intrusion Detection Systems," Journal of Universal Computer Science, 30(9), pp. 1244–1264, 2024, doi: doi.org/10.3897/jucs.131659.

[26] A. Balsam, M. Nowak, M. Walkowski, J. Oko and S. Sujecki, "Comprehensive comparison between versions CVSS v2.0, CVSS v3.x and CVSS v4.0 as vulnerability severity measures," 24th International Conference on Transparent Optical Networks (ICTON), Bari, Italy, 2024, pp. 1-4, doi: doi.org/10.1109/ICTON62926.2024.10647452.

[27] FIRST, “Common Vulnerability Scoring System v3.1: Specification Document,” Forum of Incident Response and Security Teams. [Online]. Available: https://www.first.org/cvss/v3-1/specification-document. [Accessed: Dec. 7, 2024].

[28] NIST, “CVSS v3.1 calculator,” National Institute of Standards and Technology. [Online]. Available: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. [Accessed: Dec. 7, 2024].

[29] P. Mell, J. Spring, D. Dugal, S. Ananthakrishna, F. Casotto, T. Fridley, C. Ganas, A. Kundu, P. Nordwall, V. Pushpanathan, D. Sommerfeld, M. Tesauro, and C. Turner, “Measuring the Common Vulnerability Scoring System base score equation,” NIST, no. 8409, pp. 1-43, 2022, doi: doi.org/10.6028/NIST.IR.8409.

[30] S. K. Lala, A. Kumar and S. T., "Secure Web development using OWASP Guidelines," 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS), Madurai, India, 2021, pp. 323-332, doi: doi.org/10.1109/ICICCS51141.2021.9432179.