Proposal of a Hybrid Process to Manage Vulnerabilities in Web Applications

  • Ana L. Hernández-SaucedoEmail author
  • Jezreel Mejía
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 405)


The information systems security is essential for organizations because organizations use information systems to manage their key information related to customers, products, and transactions, among others. The information systems of organizations are mostly web. However, over 70 % of the vulnerabilities are found in web applications, such as SQL Injection, Cross-site Scripting (XSS), Cross Site Request Forgery CSRF, Insecure Configuration Management, among others. Therefore, it is very important to secure the web systems. Therefore in the last 3 years have been observed an increase in the vulnerabilities having impact in the web systems attacks. Moreover, it has been detected that organizations do not implement procedures or processes to manage vulnerabilities, leaving exposed their systems. In this context, this paper presents a hybrid process that will enable organizations to detect and manage vulnerabilities in their web applications.


Security of information systems Vulnerabilities Models and standards Web applications 


  1. 1.
    Casaca, J.: Determinants of the information security effectiveness in small and medium sized enterprises. Proceedings in EIIC-The 3rd Electronic International Interdisciplinary Conference. pp. 495–500 (2014)Google Scholar
  2. 2.
    Kaspersky: Social engineering| internet security threats| kaspersky lab Mexico. (2015). Accessed 17 Jun 2015
  3. 3.
    Gartner: Gartner news room. (2014). Accessed 16 Feb 2015
  4. 4.
    NIST: News—NIST IT security. (2014). Accessed 16 Feb 2015
  5. 5.
    National Vulnerability Database: NVD—statistics search. (2015). Accessed 16 Feb 2015
  6. 6.
    McAfee Labs: McAfee labs threats report, no. Nov 2014Google Scholar
  7. 7.
    OSVDB: OSVDB: Open Sourced Vulnerability Database. (2014). Accessed 07 Dec 2014
  8. 8.
    McAfee: McAfee labs informe sobre amenazas. (2014)Google Scholar
  9. 9.
    Kitchenham, B.: Evidence-based software engineering. Softw. Eng. (2004)Google Scholar
  10. 10.
    Hernández Saucedo, A.L.: Guía de ataques, vulnerabilidades, técnicas y herramientas para aplicaciones web. Recibe Revista Electrónica de Computación, biomédica y electrónica, no. 1, 2015Google Scholar
  11. 11.
    Singh, B., Kannojia, S.P.: A review on software quality models. 2013 Int. Conf. Commun. Syst. Netw. Technol., pp. 801–806 Apr 2013Google Scholar
  12. 12.
    Caralli, R., Allen, J., Curtis, P.: CERT® Resilience Management Model, v1. 0 (2011)Google Scholar
  13. 13.
    AENOR: UNE-ISO/IEC 27000 (2014)Google Scholar
  14. 14.
    ISO: ISO/IEC 27002:2013. (2014). Accessed 16 Feb 2015
  15. 15.
    AENOR: UNE-ISO/IEC 27002 (2009)Google Scholar
  16. 16.
    ITGI: Alineando CobiT 4.1, ITIL V3, ISO/IEC 27002 en beneficio del negocio. (2008)Google Scholar
  17. 17.
    Madrid, E.P.: Sistemas y servicios digitales e híbridos de información. (2009)Google Scholar

Further Reading

  1. 18. w3af—Open Source Web Application Security Scanner. (2015). Accessed 23 Jul 2015
  2. 19.
    Qualys: Qualys Web Application Scanning (WAS) | Qualys, Inc. (2014). Accessed 19 Dec 2014
  3. 20.
    Beyontrust: Web vulnerability management software | Assessment software, (2014). Accessed 19 Dec 2014

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Centro de Investigación en MatemáticasGuadalupeMexico

Personalised recommendations