1. Home
  2. Vol 22, No 1 (2026)
  3. Fanani

Security Assessment of Open-Source Village Governance Systems: A Case Study of OpenSID

Ikhsan Fanani(1*),Nana Sujana(2),Muhamad Hilmansyah Susanta(3)
(1) Politeknik Pajajaran ICB Bandung
(2) Politeknik Pajajaran ICB Bandung
(3) Politeknik Pajajaran ICB Bandung
(*) Corresponding Author
DOI : 10.35889/progresif.v22i1.3560

Abstract

Indonesia's OpenSID platform manages sensitive citizen data across thousands of rural administrative units, yet no empirical security assessment exists in academic literature. This study addresses this gap through comprehensive security evaluation using Static Application Security Testing (SAST) and Software Composition Analysis (SCA), with findings mapped to OWASP Top 10 and scored using CVSS v3.1. Analysis identified 402 raw findings, with 170 (42.3%) confirmed as true positives after manual validation. Broken Access Control (105 findings) and Injection vulnerabilities (26 findings) were predominant, with seven Critical or High severity issues detected, including path traversal and known CVE dependencies. The 57.7% false positive rate emphasizes the necessity of manual validation alongside automated scanning. This research provides the first structured security audit of Indonesian governance software and recommends adopting GitHub-native security tools and formal vulnerability disclosure policies.

Keywords: OpenSID; Security Assessment; OWASP Top 10; Static Application Security Testing; Village Information System

 

Abstrak

Platform OpenSID Indonesia mengelola data sensitif warga di ribuan unit administrasi pedesaan, namun belum ada penilaian keamanan empiris dalam literatur akademik. Penelitian ini mengisi kesenjangan tersebut melalui evaluasi keamanan komprehensif menggunakan Static Application Security Testing (SAST) dan Software Composition Analysis (SCA), dengan temuan dipetakan ke OWASP Top 10 dan dinilai menggunakan CVSS v3.1. Analisis mengidentifikasi 402 temuan mentah, dengan 170 (42,3%) dikonfirmasi sebagai true positive setelah validasi manual. Broken Access Control (105 temuan) dan kerentanan Injection (26 temuan) mendominasi, dengan tujuh masalah tingkat keparahan Critical atau High terdeteksi, termasuk path traversal dan dependensi CVE yang diketahui. Tingkat false positive 57,7% menekankan pentingnya validasi manual bersama pemindaian otomatis. Riset ini menyediakan audit keamanan terstruktur pertama untuk perangkat lunak tata kelola Indonesia dan merekomendasikan adopsi tools keamanan GitHub-native serta kebijakan pengungkapan kerentanan formal.

Kata kunci: OpenSID; Asesmen Keamanan; OWASP Top 10; Static Application Security Testing; Sistem Informasi Desa 

References


OWASP Foundation, "OWASP Top 10:2025 – The Ten Most Critical Web Application Security Risks," 2025. [Online]. Available: https://owasp.org/Top10/2025/. [Accessed: January 23, 2026].

First.org, "Common Vulnerability Scoring System v3.1: Specification Document," 2019. [Online]. Available: https://www.first.org/cvss/v3.1/specification-document. [Accessed: January 23, 2026].

G. Bennett, T. Hall, E. Winter, and S. Counsell, “Semgrep*: Improving the Limited Performance of Static Application Security Testing (SAST) Tools,” in Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering, Salerno Italy: ACM, Jun. 2024, pp. 614–623. doi: 10.1145/3661167.3661262.

L. Kree, R. Helmke, and E. Winter, "Using Semgrep OSS to Find OWASP Top 10 Weaknesses in PHP Applications: A Case Study," in Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2024), Springer, 2024. doi: 10.1007/978-3-031-64171-8_4

K. Li et al., “Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java,” in Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, San Francisco CA USA: ACM, Nov. 2023, pp. 921–933. doi: 10.1145/3611643.3616262.

P. Nunes, I. Medeiros, J. C. Fonseca, N. Neves, M. Correia, and M. Vieira, “Benchmarking Static Analysis Tools for Web Security,” IEEE Trans. Rel., vol. 67, no. 3, pp. 1159–1175, Sep. 2018, doi: 10.1109/TR.2018.2839339.

S. Lipp, S. Banescu, and A. Pretschner, “An empirical study on the effectiveness of static C code analyzers for vulnerability detection,” in Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual South Korea: ACM, Jul. 2022, pp. 544–555. doi: 10.1145/3533767.3534380.

F. Mateo Tudela, J.-R. Bermejo Higuera, J. Bermejo Higuera, J.-A. Sicilia Montalvo, and M. I. Argyros, “On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications,” Applied Sciences, vol. 10, no. 24, p. 9119, Dec. 2020, doi: 10.3390/app10249119.

D. B. Cruz, J. R. Almeida, and J. L. Oliveira, “Open Source Solutions for Vulnerability Assessment: A Comparative Analysis,” IEEE Access, vol. 11, pp. 100234–100255, 2023, doi: 10.1109/ACCESS.2023.3315595.

Synopsys, "Open Source Security and Risk Analysis (OSSRA) Report 2024," Synopsys Cybersecurity Research Center, 2024.

N. Zahan, T. Zimmermann, P. Godefroid, B. Murphy, C. Maddila, and L. Williams, “What are weak links in the npm supply chain?,” in Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice, Pittsburgh Pennsylvania: ACM, May 2022, pp. 331–340. doi: 10.1145/3510457.3513044.

C. Luo, P. Li, and W. Meng, “TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles CA USA: ACM, Nov. 2022, pp. 2175–2188. doi: 10.1145/3548606.3559391.

I. Medeiros and N. Neves, “Effect of Coding Styles in Detection of Web Application Vulnerabilities,” in 2020 16th European Dependable Computing Conference (EDCC), Munich, Germany: IEEE, Sep. 2020, pp. 111–118. doi: 10.1109/EDCC51268.2020.00027.

M. Fahmi Al Azhar and R. Harwahyu, “Detection of SQL Injection Vulnerability in CodeIgniter Framework Using Static Analysis,” Multitek Indonesia, vol. 17, no. 1, pp. 69–78, Jul. 2023, doi: 10.24269/mtkind.v17i1.7267.

E. Z. Darojat, E. Sediyono, and I. Sembiring, “Vulnerability Assessment Website E-Government dengan NIST SP 800-115 dan OWASP Menggunakan Web Vulnerability Scanner,” J. Sistem Info. Bisnis, vol. 12, no. 1, pp. 36–44, Sep. 2022, doi: 10.21456/vol12iss1pp36-44.

R. M. Fauzi, R. Hermawan, D. R. Adhy, and S. Maesaroh, “Analisis Kerentanan Keamanan Web Menggunakan Metode OWASP dan PTES di Web Pemerintahan Desa XYZ,” POLEKTRO, vol. 13, no. 2, pp. 225–231, May 2024, doi: 10.30591/polektro.v13i2.6711.

B. Ghozali, K. Kusrini, and S. Sudarmawan, “Mendeteksi Kerentanan Keamanan Aplikasi Website Menggunakan Metode Owasp (Open Web Application Security Project) Untuk Penilaian Risk Rating,” citec, vol. 4, no. 4, p. 264, Jan. 2019, doi: 10.24076/citec.2017v4i4.119.

T. Ariyadi, T. L. Widodo, N. Apriyanti, and F. S. Kirana, "Analisis Kerentanan Keamanan Sistem Informasi Akademik Universitas Bina Darma Menggunakan OWASP," Techno.com, vol. 22, no. 2, 2023, doi: 10.33633/tc.v22i2.7562

S. Hidayatulloh and D. Saptadiaji, “Penetration Testing pada Website Universitas ARS Menggunakan Open Web Application Security Project (OWASP),” Jurnal Algoritma, vol. 18, no. 1, pp. 77–86, Aug. 2021, doi: 10.33364/algoritma/v.18-1.827.

L. Hadjaratie et al., "Sosialisasi dan Pelatihan Aplikasi Sistem Informasi Desa Berbasis Web Menggunakan OpenSID di Desa Bilolantunga," Devotion, vol. 2, no. 2, pp. 18–22, 2023, doi: 10.37905/devotion.v2i2.20899

C. Rahmad, A. D. W. Sumari, A. P. Kirana, M. Z. Abdullah, and S. E. Sukmana, "Penerapan Sistem Informasi Administratif Desa Ngijo Kabupaten Malang menggunakan OpenSID," Bhakti Persada, vol. 8, no. 1, pp. 1–8, 2022, doi: 10.31940/bp.v8i1.1-8

R. Fitri, A. N. Asyikin, and A. S. B. Nugroho, "Pengembangan Sistem Informasi Desa untuk Menuju Tata Kelola Desa yang Baik Berbasis TIK," POSITIF, vol. 3, no. 2, pp. 99–105, 2017, doi: 10.31961/positif.v3i2.429

V. Figueroa, L. E. Sánchez Crespo, A. Santos-Olmo, D. G. Rosado, and E. Fernández-Medina, “Building a holistic cybersecurity framework for e-Government based on a systematic analysis of proposals,” Int. J. Inf. Secur., vol. 24, no. 3, p. 121, Jun. 2025, doi: 10.1007/s10207-025-01024-0.

S. Elder et al., "Do I Really Need All This Work to Find Vulnerabilities? An Empirical Case Study Comparing Vulnerability Detection Techniques on a Java Application," Empirical Softw. Eng., vol. 27, no. 6, Art. 154, 2022, doi: 10.1007/s10664-022-10179-6

G. McGraw, Software Security: Building Security In. Addison-Wesley, 2006.

Perkumpulan Desa Digital Terbuka, "OpenSID Repository," github.com/OpenSID/OpenSID. [Accessed: January 23, 2026].

NIST, "National Vulnerability Database," nvd.nist.gov, 2024. [Accessed: January 23, 2026].

F. Hashmat et al., "Insights from Running 24 Static Analysis Tools on Open Source Software," in Proc. IEEE/ACM Int. Workshop Software Eng. for Secure Systems, 2024, doi: 10.1007/978-3-031-80020-7_13

R. T. Dirgahayu, Y. Prayudi, and A. Fajaryanto, Penerapan Metode ISSAF dan OWASP versi 4 Untuk Uji Kerentanan Web Server, J. Ilm. Nero, vol. 1, no. 3, pp. 190197, 2015, doi: 10.21107/nero.v1I3.29


How To Cite This :

Refbacks

  • There are currently no refbacks.