Abstract

With more applications accessible on the Web, organizations with mission-critical legacy systems have had to find a way to stay relevant and competitive by modernizing with RESTful APIs. REST architecture, serving as a guideline rather than a strict protocol, offers significant advantages in terms of scalability, flexibility, and independence; however, its widespread adoption has also led to notable security vulnerabilities and weaknesses. Additionally, there is not one all-encompassing security testing methodology to follow when testing RESTful APIs. For this reason, a new security testing methodology was developed for legacy MultiValue Pick systems that implement the REST API component, MVConnect. The steps of the methodology consist of: threat modeling, source code review, penetration testing, and mitigation. A case study involving a legacy D3 MultiValue Pick Database Management System (DMS) implementing MVConnect was assessed following this methodology. Several vulnerabilities were identified, discovered, and exploited including the following: security misconfigurations, broken authentication, broken authorization, session mismanagement, server-side request forgery, and unsafe consumption of APIs. Mitigation solutions were proposed including basic authentication and authorization control mechanisms specific to D3 MultiValue Pick and proper firewall rules to administer. The new security testing methodology enabled a successful security assessment of a legacy MultiValue Pick system that employed MVConnect. The mitigation solutions are capable of securing legacy MultiValue Pick systems implementing MVConnect.

Degree

College and Department

Ira A. Fulton College of Engineering; Electrical and Computer Engineering

Rights

https://lib.byu.edu/about/copyright/