{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,16]],"date-time":"2026-05-16T23:11:33Z","timestamp":1778973093994,"version":"3.51.4"},"reference-count":52,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2025,2,15]],"date-time":"2025-02-15T00:00:00Z","timestamp":1739577600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,2,15]],"date-time":"2025-02-15T00:00:00Z","timestamp":1739577600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1909516"],"award-info":[{"award-number":["1909516"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2025,5]]},"DOI":"10.1007\/s10664-025-10621-5","type":"journal-article","created":{"date-parts":[[2025,2,15]],"date-time":"2025-02-15T05:28:57Z","timestamp":1739597337000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["Comparing effectiveness and efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools in a large java-based system"],"prefix":"10.1007","volume":"30","author":[{"given":"Aishwarya","family":"Seth","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7986-1641","authenticated-orcid":false,"given":"Saikath","family":"Bhattacharya","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5881-4619","authenticated-orcid":false,"given":"Sarah","family":"Elder","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nusrat","family":"Zahan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3300-6540","authenticated-orcid":false,"given":"Laurie","family":"Williams","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,2,15]]},"reference":[{"key":"10621_CR1","doi-asserted-by":"publisher","unstructured":"Amankwah R, Chen J, Kudjo P, Towey D (2020) An empirical comparison of commercial and open-source web vulnerability scanners. Softw: Pract Exp 50. https:\/\/doi.org\/10.1002\/spe.2870","DOI":"10.1002\/spe.2870"},{"issue":"2","key":"10621_CR2","doi-asserted-by":"publisher","first-page":"269","DOI":"10.1109\/TSC.2014.2310221","volume":"8","author":"N Antunes","year":"2014","unstructured":"Antunes N, Vieira M (2014) Assessing and comparing vulnerability detection tools for web services: benchmarking approach and examples. IEEE Trans Serv Comput 8(2):269\u2013283","journal-title":"IEEE Trans Serv Comput"},{"key":"10621_CR3","doi-asserted-by":"publisher","unstructured":"Antunes N, Vieira M (2009) Comparing the effectiveness of penetration testing and static code analysis on the detection of sql injection vulnerabilities in web services. In: 2009 15th IEEE Pacific rim international symposium on dependable computing, pp 301\u2013306. https:\/\/doi.org\/10.1109\/PRDC.2009.54","DOI":"10.1109\/PRDC.2009.54"},{"key":"10621_CR4","doi-asserted-by":"crossref","unstructured":"Antunes N, Vieira M (2010) Benchmarking vulnerability detection tools for web services. In: 2010 IEEE International conference on web services. IEEE, pp 203\u2013210","DOI":"10.1109\/ICWS.2010.76"},{"key":"10621_CR5","doi-asserted-by":"crossref","unstructured":"Antunes N, Vieira M (2015) On the metrics for benchmarking vulnerability detection tools. In: 2015 45th Annual IEEE\/IFIP international conference on dependable systems and networks. IEEE, pp 505\u2013516","DOI":"10.1109\/DSN.2015.30"},{"issue":"7","key":"10621_CR6","doi-asserted-by":"publisher","first-page":"1279","DOI":"10.1016\/j.infsof.2012.11.007","volume":"55","author":"A Austin","year":"2013","unstructured":"Austin A, Holmgreen C, Williams L (2013) A comparison of the efficiency and effectiveness of vulnerability discovery techniques. Inf Softw Technol 55(7):1279\u20131288","journal-title":"Inf Softw Technol"},{"key":"10621_CR7","doi-asserted-by":"crossref","unstructured":"Austin A, Williams L (2011) One technique is not enough: a comparison of vulnerability discovery techniques. In: 2011 International symposium on empirical software engineering and measurement. IEEE, pp 97\u2013106","DOI":"10.1109\/ESEM.2011.18"},{"key":"10621_CR8","doi-asserted-by":"publisher","unstructured":"Bailey C, Montrieux L, de\u00a0Lemos R, Yu Y, Wermelinger M (2014) Run-time generation, transformation, and verification of access control models for self-protection. In: Proceedings of the 9th international symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2014. Association for Computing Machinery, New York, NY, USA, pp 135\u2013144. https:\/\/doi.org\/10.1145\/2593929.2593945","DOI":"10.1145\/2593929.2593945"},{"key":"10621_CR9","unstructured":"Bau J, Wang F, Bursztein E, Mutchler P, Mitchell JC (2013) Vulnerability factors in new web applications: audit tools , developer selection & languages"},{"key":"10621_CR10","doi-asserted-by":"publisher","unstructured":"\u010cisar P, \u010cisar SM (2016) The framework of runtime application self-protection technology. In: 2016 IEEE 17th international symposium on Computational Intelligence and Informatics (CINTI), pp 000081\u2013000086. https:\/\/doi.org\/10.1109\/CINTI.2016.7846383","DOI":"10.1109\/CINTI.2016.7846383"},{"key":"10621_CR11","unstructured":"Cook TD, Campbell DT (1979) Quasi-experimentation: design and analysis issues for field settings. Rand McNally College Publishing"},{"key":"10621_CR12","doi-asserted-by":"crossref","unstructured":"Croft R, Newlands D, Chen Z, Babar MA (2021) An empirical study of rule-based and learning-based approaches for static application security testing. In: Proceedings of the 15th ACM\/IEEE international symposium on Empirical Software Engineering and Measurement (ESEM), pp 1\u201312","DOI":"10.1145\/3475716.3475781"},{"key":"10621_CR13","doi-asserted-by":"publisher","first-page":"100234","DOI":"10.1109\/ACCESS.2023.3315595","volume":"11","author":"DB Cruz","year":"2023","unstructured":"Cruz DB, Almeida JaR, Oliveira JL (2023) Open source solutions for vulnerability assessment: a comparative analysis. IEEE Access 11:100234\u2013100255. https:\/\/doi.org\/10.1109\/ACCESS.2023.3315595","journal-title":"IEEE Access"},{"key":"10621_CR14","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.500-326","author":"AM Delaitre","year":"2018","unstructured":"Delaitre AM, Stivalet BC, Black PE, Okun V, Cohen TS, Ribeiro A (2018) Sate v report: ten years of static analysis tool expositions, NIST SP 500\u2013326. National Institute of Standards and Technology (NIST). https:\/\/doi.org\/10.6028\/NIST.SP.500-326","journal-title":"National Institute of Standards and Technology (NIST)"},{"key":"10621_CR15","doi-asserted-by":"publisher","unstructured":"Delaitre A, Stivalet B, Black P, Okun V, Cohen T, Ribeiro A (2018) Sate v report: ten years of static analysis tool expositions (2018-10-23). https:\/\/doi.org\/10.6028\/NIST.SP.500-326","DOI":"10.6028\/NIST.SP.500-326"},{"key":"10621_CR16","doi-asserted-by":"publisher","unstructured":"Doup\u00e9 A, Cova M, Vigna G (2010) Why johnny can\u2019t pentest: an analysis of black-box web vulnerability scanners 6201:111\u2013131. https:\/\/doi.org\/10.1007\/978-3-642-14215-4_7","DOI":"10.1007\/978-3-642-14215-4_7"},{"key":"10621_CR17","doi-asserted-by":"crossref","unstructured":"Elder S, Zahan N, Shu R, Metro M, Kozarev V, Menzies T, Williams L (2022) Do i really need all this work to find vulnerabilities? an empirical case study comparing vulnerability detection techniques on a java application. Empir Softw Eng","DOI":"10.1007\/s10664-022-10179-6"},{"key":"10621_CR18","unstructured":"Feldt R, Magazinius A (2010) Validity threats in empirical software engineering research-an initial survey. In: Seke, pp 374\u2013379"},{"key":"10621_CR19","doi-asserted-by":"publisher","unstructured":"Fonseca J, Vieira M, Madeira H (2007) Testing and comparing web vulnerability scanning tools for sql injection and xss attacks. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), pp 365\u2013372. https:\/\/doi.org\/10.1109\/PRDC.2007.55","DOI":"10.1109\/PRDC.2007.55"},{"key":"10621_CR20","volume-title":"Runtime application self-protection (rasp), investigation of the effectiveness of a rasp solution in protecting known vulnerable target applications","author":"A Fry","year":"2021","unstructured":"Fry A (2021) Runtime application self-protection (rasp), investigation of the effectiveness of a rasp solution in protecting known vulnerable target applications. Tech. rep, SANS Institute"},{"key":"10621_CR21","unstructured":"Heijstek A (2023) Bridging theory and practice: insights into practical implementations of security practices in secure devops and ci\/cd environments. Ph.D. thesis, Universiteit van Amsterdam"},{"key":"10621_CR22","doi-asserted-by":"publisher","first-page":"1555","DOI":"10.32604\/cmc.2020.010885","volume":"64","author":"J-R Higuera","year":"2020","unstructured":"Higuera J-R, Bermejo J, Montalvo JA, Villalba J, P\u00e9rez J (2020) Benchmarking approach to compare web applications static analysis tools detecting owasp top ten security vulnerabilities. Comput Mater Continua 64:1555\u20131577. https:\/\/doi.org\/10.32604\/cmc.2020.010885","journal-title":"Comput Mater Continua"},{"key":"10621_CR23","doi-asserted-by":"publisher","unstructured":"Huang Y-W, Yu F, Hang C, Tsai C-H, Lee D-T, Kuo S-Y (2004) Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th international conference on World Wide Web, WWW \u201904. Association for Computing Machinery, New York, NY, USA, pp 40\u201352. https:\/\/doi.org\/10.1145\/988672.988679","DOI":"10.1145\/988672.988679"},{"key":"10621_CR24","unstructured":"ISO\/IEC\/IEEE (2013) Software and systems engineering - software testing - part 1: concepts and definitions. ISO\/IEC\/IEEE 29119-1:2013, International Organization for Standardization (ISO), International Electrotechnical Commission (IES), and Institute of Electrical and Electronics Engineers (IEEE)"},{"key":"10621_CR25","doi-asserted-by":"publisher","unstructured":"Ji M, Yin M, Zhou YH (2023) Application of static taint analysis in rasp protection strategy. In: Proceedings of the 2022 international Conference on Cyber Security, CSW \u201922. Association for Computing Machinery, New York, NY, USA, pp 40\u201345. https:\/\/doi.org\/10.1145\/3584714.3584723","DOI":"10.1145\/3584714.3584723"},{"key":"10621_CR26","doi-asserted-by":"publisher","DOI":"10.4135\/9781483384733","volume-title":"Experimental design: procedures for the behavioral sciences","author":"R Kirk","year":"2013","unstructured":"Kirk R (2013) Experimental design: procedures for the behavioral sciences, 4th edn. Sage Publications, Thousand Oaks","edition":"4"},{"key":"10621_CR27","doi-asserted-by":"publisher","unstructured":"Klees G, Ruef A, Cooper B, Wei S, Hicks M (2018) Evaluating fuzz testing. https:\/\/doi.org\/10.48550\/ARXIV.1808.09700. https:\/\/arxiv.org\/abs\/1808.09700","DOI":"10.48550\/ARXIV.1808.09700"},{"key":"10621_CR28","doi-asserted-by":"crossref","unstructured":"Lung J, Aranda J, Easterbrook SM, Wilson GV (2008) On the difficulty of replicating human subjects studies in software engineering. In: Proceedings of the 30th International Conference on Software Engineering, ICSE \u201908. Association for Computing Machinery, New York, NY, USA, pp 191\u2013200","DOI":"10.1145\/1368088.1368115"},{"key":"10621_CR29","volume-title":"Software security: building security in Addison-Wesley Professional","author":"G McGraw","year":"2006","unstructured":"McGraw G (2006) Software security: building security in Addison-Wesley Professional. Upper Saddle River, NJ"},{"key":"10621_CR30","unstructured":"MITRE (2020) Cve\u00ae numbering authority (cna) rules. https:\/\/cve.mitre.org\/cve\/cna\/CNA_Rules_v3.0.pdf"},{"key":"10621_CR31","unstructured":"MITRE (2022) Cwe common weakness enumeration (website). https:\/\/cwe.mitre.org\/"},{"key":"10621_CR32","unstructured":"NVD (2022) Vulnerabilities. https:\/\/nvd.nist.gov\/vuln. Accessed 19 Jun 2022"},{"key":"10621_CR33","unstructured":"Open Web Application Security Project (OWASP) (2022) Foundation. Owasp benchmark. https:\/\/owasp.org\/www-project-benchmark\/"},{"key":"10621_CR34","unstructured":"Open Web Application Security Project (OWASP) Foundation (2021) Owasp top ten 2021: related cheat sheets. https:\/\/cheatsheetseries.owasp.org\/IndexTopTen.html"},{"key":"10621_CR35","unstructured":"Open Web Application Security Project (OWASP) Foundation (2022) The owasp top ten application security risks project. https:\/\/owasp.org\/www-project-top-ten\/"},{"key":"10621_CR36","unstructured":"OpenMRS Developer Manual (2020). http:\/\/devmanual.openmrs.org\/en\/. Accessed 24 Jul 2021"},{"key":"10621_CR37","doi-asserted-by":"publisher","unstructured":"Pan Y (2019) Interactive application security testing. In: International Conference on Smart Grid and Electrical Automation (ICSGEA), pp 558\u2013561. https:\/\/doi.org\/10.1109\/ICSGEA.2019.00131","DOI":"10.1109\/ICSGEA.2019.00131"},{"issue":"5","key":"10621_CR38","doi-asserted-by":"publisher","first-page":"118","DOI":"10.1007\/s10664-023-10354-3","volume":"28","author":"G Piskachev","year":"2023","unstructured":"Piskachev G, Becker M, Bodden E (2023) Can the configuration of static analyses make resolving security vulnerabilities more effective?-a user study. Empir Softw Eng 28(5):118","journal-title":"Empir Softw Eng"},{"key":"10621_CR39","doi-asserted-by":"publisher","unstructured":"Pupo ALS, Nicolay J, Boix EG (2021) Deriving static security testing from runtime security protection for web applications. Art Sci Eng Program 6(1). https:\/\/doi.org\/10.22152\/programming-journal.org\/2022\/6\/1","DOI":"10.22152\/programming-journal.org\/2022\/6\/1"},{"key":"10621_CR40","doi-asserted-by":"publisher","unstructured":"Rahman AAU, Helms E, Williams L, Parnin C (2015) Synthesizing continuous deployment practices used in software development. In: 2015 Agile conference, pp 1\u201310. https:\/\/doi.org\/10.1109\/Agile.2015.12","DOI":"10.1109\/Agile.2015.12"},{"key":"10621_CR41","doi-asserted-by":"crossref","unstructured":"Rajapakse RN, Zahedi M, Babar MA (2021) An empirical analysis of practitioners\u2019 perspectives on security tool integration into devops. In: Proceedings of the 15th ACM \/ IEEE international symposium on Empirical Software Engineering and Measurement (ESEM), ESEM \u201921. Association for Computing Machinery","DOI":"10.1145\/3475716.3475776"},{"key":"10621_CR42","doi-asserted-by":"crossref","unstructured":"Ralph P, Tempero E (2018) Construct validity in software engineering research and software metrics. In: Proceedings of the 22nd international conference on evaluation and assessment in software engineering 2018, pp 13\u201323","DOI":"10.1145\/3210459.3210461"},{"key":"10621_CR43","doi-asserted-by":"publisher","unstructured":"Scandariato R, Walden J, Joosen W (2013) Static analysis versus penetration testing: a controlled experiment. In: 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE), pp 451\u2013460. https:\/\/doi.org\/10.1109\/ISSRE.2013.6698898","DOI":"10.1109\/ISSRE.2013.6698898"},{"key":"10621_CR44","doi-asserted-by":"crossref","unstructured":"Seth A (2022) Comparing effectiveness and efficiency of interactive application security testing (iast) and runtime application self-protection (rasp) tools. Master\u2019s thesis, North Carolina State University","DOI":"10.2139\/ssrn.4306114"},{"key":"10621_CR45","doi-asserted-by":"publisher","unstructured":"Setiawan H, Erlangga LE, Baskoro I (2020) Vulnerability analysis using the interactive application security testing (iast) approach for government x website applications. In: 2020 3rd International Conference on Information and Communications Technology (ICOIACT), pp 471\u2013475. https:\/\/doi.org\/10.1109\/ICOIACT50329.2020.9332116","DOI":"10.1109\/ICOIACT50329.2020.9332116"},{"key":"10621_CR46","unstructured":"StackOverFlow (2021) Most popular technologies. https:\/\/survey.stackoverflow.co\/2021#technology-most-popular-technologies"},{"key":"10621_CR47","unstructured":"Tudela FM, Higuera J-RB, Higuera JB, Montalvo J-AS, Argyros MI (2020) On combining static, dynamic and interactive analysis security testing tools to improve owasp top ten security vulnerability detection in web applications. Appl Sci. https:\/\/api.semanticscholar.org\/CorpusID:234536018"},{"key":"10621_CR48","doi-asserted-by":"crossref","unstructured":"Tudela FM, Higuera J-RB, Higuera JB, Montalvo J-AS, Argyros MI (2020) On combining static, dynamic and interactive analysis security testing tools to improve OWASP top ten security vulnerability detection in web applications. In: Special issue cyber security of critical infrastructures appl. sci. 2020), vol 10, no 24","DOI":"10.3390\/app10249119"},{"key":"10621_CR49","unstructured":"Williams J (2019) Sast, dast, and iast security testing. https:\/\/www.contrastsecurity.com\/security-influencers\/why-the-difference-between-sast-dast-and-iast-matters. Accessed 14 Dec 2023"},{"key":"10621_CR50","doi-asserted-by":"crossref","unstructured":"Wohlin C, Runeson P, H\u00f6st M, Ohlsson MC, Regnell B, Wessl\u00e9n A (2012) Experimentation in software engineering. Springer Science & Business Media","DOI":"10.1007\/978-3-642-29044-2"},{"key":"10621_CR51","doi-asserted-by":"crossref","unstructured":"Yin Z, Li Z, Cao Y (2018) A web application runtime application self-protection scheme against script injection attacks. In: Cloud computing and security. Springer International Publishing, Cham, pp 566\u2013577","DOI":"10.1007\/978-3-030-00009-7_51"},{"key":"10621_CR52","doi-asserted-by":"publisher","unstructured":"Yuan E, Malek S, Schmerl B, Garlan D, Gennari J (2013) Architecture-based self-protecting software systems. In: Proceedings of the 9th international ACM sigsoft conference on quality of software architectures, QoSA \u201913. Association for Computing Machinery, New York, NY, USA, pp 33\u201342. https:\/\/doi.org\/10.1145\/2465478.2465479","DOI":"10.1145\/2465478.2465479"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10621-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-025-10621-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10621-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,20]],"date-time":"2025-11-20T13:26:44Z","timestamp":1763645204000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-025-10621-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,15]]},"references-count":52,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2025,5]]}},"alternative-id":["10621"],"URL":"https:\/\/doi.org\/10.1007\/s10664-025-10621-5","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,15]]},"assertion":[{"value":"27 January 2025","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"15 February 2025","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Data was collected following North Carolina State University (NCSU) Institutional Review Board Protocol 20569.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval"}},{"value":"To our knowledge, the authors have no conflicts of interest to declare that are relevant to the content of this article.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of interest\/Competing interests"}}],"article-number":"67"}}