Web-Based Dashboard for Monitoring Penetration Testing Activities Based on OWASP Standards

ABSTRACT


INTRODUCTION
The development of Information Technology (IT) has become an inseparable part of human life. Badan Siber dan Sandi Negara (BSSN) states that IT contains strategic information assets and has an impact on the lives of many people, so that its role is very important and vital [1]. Besides, IT has triggered the development of Industry 4.0, characterized by automation and digitalization, to obtain the ease of achieving competitive advantage. This is marked by the development of the Internet of Things (IoT), Artificial Intelligence (AI), robotics, automated physical systems, smart cities, and blockchain [2]. Industry 4.0 provides the integration of large data, interactive systems between humans and machines, and increased communication between digital and physical environments [3]. Moreover, the integration of IT has also brought new issues and challenges, especially in cybersecurity.
Cybersecurity is an activity to protect systems, networks, and programs from digital attacks [4]. Digital attacks or cyber-attacks usually aim at accessing, changing, or even destroying sensitive information, extortion of money, or business process interruption. Cybersecurity consists of technology, processes, and actions designed to protect individuals and organizations from cybercrime. At present implementing effective cybersecurity measures is a very important and challenging activity. There are three pillars in implementing effective cybersecurity, namely people (people), processes (processes), and technology (technology) [5]. If all three are not met, then it will create vulnerabilities that can interfere with cybersecurity. Cybersecurity applies in various contexts, one of which is application security. According to Pusat Operasi Keamanan Siber Nasional (Pusopskamsinas), Badan Siber dan Sandi Negara (BSSN) records 88,414,296 cyber-attacks have occurred from January 1 to April 12, 2020. Out of 88,414,296 cyberattacks, around 884 such attacks are web application based attacks [6], although classified as only a small amount that about 1% of the total attacks, but of course, it cannot be underestimated, especially for organizations engaged in finance such as banking. The application security breach for banks is fatal because it will reduce the level of public trust in the bank to affect the value of the company. According to Stefinko, the most popular way to investigate security is through a penetration test (pentest) conducted by an ethical hacker/pentester team [7].
Pentest is a security test conducted by a pentester by mimicking the actual attack to damage the security features of an application, system, or network so that known vulnerabilities [8] [9]. Pentest also becomes an obligation that must be done because it can help companies prevent financial failures and compliance with regulations by regulatory regulations, Peraturan Otoritas Jasa Keuangan (POJK) No. 38/POJK.3/2016 concerning the Implementation of Risk Management in the Use of Information Technology by Commercial Banks, which requires Banks to ensure information security to maintain confidentiality, integrity, and availability effectively and efficiently, one of which is using pentest. Pentest testing must be conducted regularly, at least once a year [10].
To determine whether an application is safe and successfully passes the pentest, we need a measurement standard so that all applications get a balanced or equal value. Especially for web applications, the standard commonly used is OWASP (Open Web Application Security Project). When this research was made, OWASP with the latest edition, which is 2017, focuses on: injection, broken authentication, sensitive data exposure, XXE, broken access control, security misconfiguration, XSS, insecure deserialization, using a component with known vulnerabilities, and insufficient logging & monitoring [11]. OWASP has a very large list of vulnerabilities, and each vulnerability in OWASP is given a certain code. Therefore to simplify the process of monitoring the pentest process in an organization, a tool can visualize existing vulnerabilities of various applications to be more easily measured, calculated, and monitored during the pentest process.
The tool commonly used to present information to managers is a Dashboard [12]; companies or businesses have widely adopted the concept of the dashboard for various purposes such as administrative dashboards [13], monitoring dashboard [14] [15], evaluation dashboard [16], and even for just visualization [17]. Each dashboard created has its characteristics and objectives according to the needs of the organization. However, the basic purpose of all dashboards is only to assist decision-makers in making decisions.
The dashboard created in this research is the monitoring dashboard of pentest activities so that it does not need to be manually recapitulated using data management applications such as spreadsheets (Ms. Excel). The dashboard is made using the PHP programming language, so it is web-based and uses the OWASP standard until 2017. It is expected that with this dashboard, it can find out the application vulnerabilities that often arise during the pentest, so the results of data visualization can be taken into consideration and evaluation to determine the priority of improvements in application development.

RESEARCH METHOD
There are 4 steps undertaken in this research to create a monitoring dashboard, namely data collection, designing system, testing, and implementation, as shown in Figure 1 [18]. Stages of research carried out, as shown above, are divided into several processes, i.e.: 1. Data collection: There are 2 data used in the study, namely the dummy pentest report data that will be used during the implementation process, the second is a list of vulnerability collected from the page owasp.org. 2. System design: Done by designing a dashboard system that will be built later.

Data Gathering
Desaining System Code Blackbox Testing Implementation Fig. 2. System Architecture.
A system has an iterative cycle or path; this cycle facilitates interaction between system users. This data cycle and system architecture guide the more detailed system design process. After defining the system architecture and the data cycle, the next step is functional mapping to define the system in more detail and depth. Functional requirements are represented by the use case diagram, as shown in Figure 4. The features of the system prototype were developed based on the results of functional analysis. Furthermore, the system prototype was developed to test the design and concept of the system that was created. After the prototype is developed, several testing stages will be carried out, such as functional testing. Testing is done using the black box system method to ensure that the system can run in an operational environment, meet user needs, and achieve system design goals. To ensure this, we carried out several stages of system testing following the design of the test. The results of the black box testing are as shown in Table 1. Overall based on the results obtained from the test case system, it is found that the expected results are under the objectives of the system functionality.

Test Case Results Expected results
Results obtained Information

Login
The system verifies the user Users who are not registered cannot enter the system Succeed User Registration The system will save a new user account The system successfully saved a new user account Succeed Displays an overall summary of the data The system will display the dashboard display The system displays the dashboard display Succeed Showing graph The system will display a dashboard graphic display The system displays a dashboard graphic display Succeed Manage Projects (add, delete, edit) The system can execute add, edit and delete commands at a time to manage the project The system can make add, edit, and delete commands at one time to manage Users The system successfully verified/deleted the user Succeed Displays project schedule The system will display the project schedule The system displays the project schedule Succeed Make a report based on data The system will print the report according to the menu chosen by the user The system prints the report according to the user

Succeed
Manage project team members The system will limit the menu available to each member depending on their access rights The system limits the menu available to each member depending on their access rights Succeed

Results obtained Information
Manage Nodin (add, delete) The system can do incorrect add and delete commands at a time to manage Nodin The system successfully added/removed Nodin Succeed After the system functionality runs as it should, the next step is to implement the dummy data prepared previously into the monitoring dashboard. The following is a dashboard program display using dummy data, as shown in Figures 5 and Figure 6.

CONCLUSION
Based on the stages of the research that has been done before, it can be concluded that this study produced a dashboard report design system. The system can record, manage, and display application vulnerabilities based on the frequency of occurrence. Some suggestions that can be given for further research are to display other analytical data related to statistics of vulnerability. Data per week/month/year time period and logs of user activity have not been recorded as a whole, such as who changed the status of a vulnerability from open to close.