Vulnerability Analysis and Mitigation of Web Applications Using Static Code Analysis and SSDLC Approach

Authors

  • Evan Samuel Reinheart Mamesah Faculty of Computer Science, Universitas Klabat, Airmadidi, Indonesia
  • Jimmy Herawan Moedjahedy Faculty of Computer Science, Universitas Klabat, Airmadidi, Indonesia

DOI:

https://doi.org/10.58905/saga.v4i1.630

Keywords:

Web Application, Static Code Analysis, SonarQube, Vulnerabilities, Cyberattack

Abstract

In today's age of technology, web applications have become essential parts of the environment. Due to easy accessibility of the internet, the user can engage in actions without considering the possible impact, leading individuals and organizations to commit such actions freely. As a result, there has been an upsurge in cyber-attacks against web applications that are prone to attacks. Mitigation is achieved using static code analysis with SonarQube in order to detect vulnerabilities within the web application code. In this case, the aim is to contribute to developers through the recommendation on how to develop their web applications while considering security aspects. SSDLC is utilized to manage the web application used during the simulation of the cyber-attacks and mitigation of the impacts thereof. Results are reported as comparisons made before and after mitigation. Before implementation of mitigation measures, the web application was vulnerable to all simulated cyber-attacks. After implementation of mitigation measures, it became clear from analyses that the attack had no way of exploiting the secured vulnerabilities.

References

W. S. Admass, Y. Y. Munaye, and A. A. Diro, “Cyber security: State of the art, challenges and future directions,” Cyber Security and Applications, vol. 2, Jan. 2024, doi: 10.1016/j.csa.2023.100031.

ISACA and Adobe, “State of Cybersecurity 2023: Global Update on Workforce Efforts, Resources and Cyberoperations,” Schaumburg, 2023.

S. Ali, S. U. Rehman, A. Imran, G. Adeem, Z. Iqbal, and K. Il Kim, “Comparative Evaluation of AI-Based Techniques for Zero-Day Attacks Detection,” Electronics (Switzerland), vol. 11, no. 23, Dec. 2022, doi: 10.3390/electronics11233934.

R. Haas, R. Niedermayr, T. Roehm, and S. Apel, “Is static analysis able to identify unnecessary source code?,” ACM Transactions on Software Engineering and Methodology, vol. 29, no. 1, Jan. 2020, doi: 10.1145/3368267.

SonarQube, “SonarQube System Requirements,” SonarQubeDocumentation. Accessed: Oct. 17, 2024. [Online]. Available: https://docs.sonarsource.com/sonarqube/latest/setup-andupgrade/installation-requirements/server-host/

W. Umeugo Candidate, “SECURE SOFTWARE DEVELOPMENT LIFECYCLE: A CASE FOR ADOPTION IN SOFTWARE SMES,” International Journal of Advanced Research in Computer Science, vol. 14, no. 1, doi: 10.26483/ijarcs.v14i1.6949.

Y. Li and Q. Liu, “A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments,” Energy Reports, vol. 7, pp. 8176–8186, Nov. 2021, doi: 10.1016/j.egyr.2021.08.126.

A. Singh and B. B. Gupta, “Distributed Denial-of-Service (DDoS) Attacks and Defense Mechanisms in Various Web- Enabled Computing Platforms: Issues, Challenges, and Future Research Directions,” Int J Semant Web Inf Syst, vol. 18, no. 1, 2022, doi: 10.4018/IJSWIS.297143.

I. Ali et al., “Systematic Literature Review on IoT-Based Botnet Attack,” Nov. 24, 2020, Institute of Electrical and Electronics Engineers Inc. doi: 10.1109/ACCESS.2020.3039985.

I. Tasevski and K. Jakimoski, “Overview of SQL injection defense mechanisms,” in 2020 28th Telecommunications Forum, TELFOR 2020 - Proceedings, Institute of Electrical and Electronics Engineers Inc., Nov. 2020. doi: 10.1109/TELFOR51502.2020.9306676.

S. Zhang, X. Xie, and Y. Xu, “A Brute-Force Black-Box Method to Attack Machine LearningBased Systems in Cybersecurity,” IEEE Access, vol. 8, pp. 128250–128263, 2020, doi: 10.1109/ACCESS.2020.3008433.

H. Holm, T. Sommestad, U. Franke, and M. Ekstedt, “Success Rate of Remote Code Execution Attacks Expert Assessments and Observations.”

G. E. Rodríguez, J. G. Torres, P. Flores, and D. E. Benavides, “Cross-site scripting (XSS) attacks and mitigation: A survey,” Computer Networks, vol. 166, Jan. 2020, doi: 10.1016/j.comnet.2019.106960.

H. Aldawood and G. Skinner, “An Advanced Taxonomy for Social Engineering Attacks,” Int J Comput Appl, vol. 177, no. 30, pp. 1–11, Jan. 2020, doi: 10.5120/ijca2020919744.

H. Tak, J. Patino, M. Todisco, A. Nautsch, N. Evans, and A. Larcher, “End-to-end anti-spoofing with rawnet2,” in ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings, Institute of Electrical and Electronics Engineers Inc., 2021, pp. 6369– 6373. doi: 10.1109/ICASSP39728.2021.9414234.

R. Alabdan, “Phishing attacks survey: Types, vectors, and technical approaches,” Oct. 01, 2020, MDPI AG. doi: 10.3390/fi12100168.

C. M. Gupta and D. Kumar, “Identity theft: a small step towards big financial crimes,” Oct. 25, 2020, Emerald Group Holdings Ltd. doi: 10.1108/JFC-01-2020-0014.

M. A. Al-shareeda, M. Anbar, S. Manickam, and I. H. Hasbullah, “Review of Prevention Schemes for Man-In-The-Middle (MITM) Attack in Vehicular Ad hoc Networks,” International Journal of Engineering and Management Research, vol. 10, no. 3, pp. 153–158, Jun. 2020, doi: 10.31033/ijemr.10.3.23.

O. Aslan and R. Samet, “A Comprehensive Review on Malware Detection Approaches,” 2020, Institute of Electrical and Electronics Engineers Inc. doi: 10.1109/ACCESS.2019.2963724.

Z. Bin Akhtar and A. T. Rawol, “Uncovering Cybersecurity Vulnerabilities: A Kali Linux Investigative Exploration Perspective,” International Journal of Advanced Network, Monitoring and Controls, vol. 9, no. 2, pp. 11–22, Jun. 2024, doi: 10.2478/ijanmc-2024-0012.

Downloads

Published

30-04-2026

Issue

Vol. 4 No. 1 (2026): February 2026

Section

Articles

License

Copyright (c) 2026 Evan Samuel Reinheart Mamesah, Jimmy Herawan Moedjahedy

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.