Title: A static code analysis-based mathematical model-driven vulnerability risk assessment framework for health information applications in cloud

Authors: Dennis B. Park; Xiaolong Li; A. Mehran Shahhosseini; Li-Shiang Tsay

Addresses: College of Technology, Indiana State University, USA ' College of Technology, Indiana State University, USA ' College of Technology, Indiana State University, USA ' College of Science and Technology, North Carolina A&T State University, USA

Abstract: A recent survey shows that the most vulnerable IT sources are business applications (Skybox Security, 2019). Many risk assessment frameworks that exist today, however, do not use the application code as an input source of their risk assessments for the business applications. Instead, they mostly rely on traditional questionnaires, surveys, or meetings to collect the data. Thus, it would be gainful if one can assess the security posture of the software applications with the applications' codes themselves as their data source in assessing their cloud adoption risks. Therefore, this research studies and develops a risk assessment framework that utilises data generated from static code analysis (SCA) on applications as an input source for the application's cloud risk assessment, especially on health information applications because health information applications are the least cloud adopted applications (TCS, 2012). In addition, this study develops the harmonisation methods between security warning information obtained from the SCA tool and the common vulnerability scoring system (CVSS) scores to calculate the cloud risks instead of relying on risk evaluators' assessment.

Keywords: vulnerability risk assessment framework; cloud; health information applications; mathematical model-driven risk calculation; static code analysis; SCA.

DOI: 10.1504/IJFEM.2021.120176

International Journal of Forensic Engineering and Management, 2021 Vol.1 No.2, pp.179 - 208

Received: 07 Jul 2020
Accepted: 30 Nov 2020

Published online: 10 Jan 2022 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article