A Framework for Automated Web Application Security Evaluation
اسلاید 1: A Framework for Automated Web Application Security EvaluationRazieh Rezaei SalehSupervisor: Dr. Mohsen Kahani
اسلاید 2: A Framework for Automated Web Application Security EvaluationThis framework:Tests a web application from the viewpoint of security issues.Uses the result of security test is for security evaluation of web applicationOptimizes security metric for automated security evaluation. Gives a security level to the web application.
اسلاید 3: Security EvaluationIs the process of determining how much a system is secure. Security evaluation needs information gathered from human and testing tools.First step in security evaluation is security testing.
اسلاید 4: Security TestingThe Process to determine that an IS (Information System) protects data and maintains functionality as intended.The six basic security concepts that need to be covered by security testing are:ConfidentialityIntegrityAuthenticationAuthorizationAvailabilitynon-repudiation
اسلاید 5: Why Web Applications?Because of globalization of web and being of internet as the major tool for international information exchange, security of web application is becoming more and more important.Web applications are very much vulnerable to DOS attacks or security and access compromise. Automated testing tools are vital because of growth in web application’s extension and complication.
اسلاید 6: Types of security testThere are two types for security test:Static:Analyzes the source code for security defectsKnown as white box security testNeeds source codeDynamic:Elicits vulnerabilities by sending malicious requests, and investigating repliesWhen source code is not availableTester looks at the application from the attacker’s perspectiveAnalyzes only applications deployed in test or production environments
اسلاید 7: Security testing toolsThere is eight security tool categories: source code analyzers, web application (black-box) scanners,database scanners,binary analysis tools,runtime analysis tools,configuration management tools,HTTP proxies,miscellaneous tools.
اسلاید 8: Web Application (black-box) Scanners
اسلاید 9: Automated security testing toolIn an automated security test, there are three fundamental steps:Discovering new URLs and forms by crawlingCreating test script with crafted dataSending malicious request to the web applicationAnalyzing response to detecting vulnerabilitiesExploit vulnerabilities
اسلاید 10: Security evaluationIs the process of determining how much a system is secure. Security evaluation needs information gathered from human and testing tools.For evaluation we need security metrics and measures.
اسلاید 11: Related worksWeb application security consortium: Threat Classification (WACS TC)Web Application Security Statistics Project (WASSP)A Metrics Framework to Drive Application Security ImprovementCommon Vulnerability Scoring System (CVSS)ISO/IEC 15408: Evaluation criteria for IT securityISO/IEC 18045: Methodology for IT security evaluation
اسلاید 12: Threat ClassificationIdentify all known web application security classes of attack.Agree on naming for each class of attack.Develop a structured manner to organize the classes of attack.Develop documentation that provides generic descriptions of each class of attack.Web Application Security Consortium: Threat Classification, version 1.00
اسلاید 13: Threat ClassificationSix security classes of attack:Authentication AuthorizationClient-side AttacksCommand ExecutionInformation DisclosureLogical AttacksWeb Application Security Consortium: Threat Classification, version 1.00
اسلاید 14: Web Application Security Statistics ProjectIdentify the prevalence and probability of different vulnerability classesCompare testing methodologies against that types of vulnerabilities they are likely to identify.The statistics includes two different data sets:automated testing resultssecurity assessment results made using black and white box methodologyWeb Application Security Consortium: Web Application Security Statistics Project, 2007
اسلاید 15: Web Application Security Statistics ProjectConsequently 3 data sets were obtained:1. Overall statistics2. Automated scanning statistics3. Black and white box methods security assessment statisticsWeb Application Security Consortium: Web Application Security Statistics Project, 2007
اسلاید 16: Web Application Security Statistics ProjectThe probability distribution of vulnerabilities detection according to WASC TCv1 classes (BlackBox & WhiteBox)
اسلاید 17: Web Application Security Statistics ProjectThe probability distribution of vulnerabilities detection according to WASC TCv1 classes
اسلاید 18: A Metrics Framework to Drive Application Security ImprovementBreak an application’s lifecycle into three main phases: design,deployment,runtime. Organize metrics according to life cycle in addition to OWASP typeNichols, E.A., Peterson, G., A Metrics Framework to Drive Application Security Improvement, IEEE Symp. Security and Privacy, Volume 5, Issue 2, March-April 2007
اسلاید 19: OWASP Top Ten VulnerabilitiesOWASP Most serious web application vulnerabilities: Unvalidated inputBroken access controlBroken authentication and session managementCross-site scriptingBuffer overflowInjection flawsImproper error handlingInsecure storageApplication denial of serviceInsecure configuration managementOpen Web Application Security Project (OWASP)- The ten most critical web application security vulnerabilities,2007
اسلاید 20: Common Vulnerability Scoring System (CVSS)The Common Vulnerability Scoring System (CVSS) is an open framework that offers the following benefits:Standardized Vulnerability ScoresOpen FrameworkPrioritized RiskCommon Vulnerability Scoring System, Version 2.0, June 2007
اسلاید 21: Common Vulnerability Scoring System (CVSS)CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics.Represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments.Represents the characteristics of a vulnerability that change over time but not amonguser environments.Represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment.
اسلاید 22: Common Vulnerability Scoring System (CVSS)When the base metrics are assigned values, the base equation calculates a score ranging from 0 to 10
اسلاید 23: ISO/IEC 15408: Evaluation criteria for IT securityThis standard consists of the following parts:Part 1: Introduction and general modelPart 2: Security functional requirementsPart 3: Security assurance requirementsIt contains criteria for evaluation of security requirements.ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01
اسلاید 24: ISO/IEC 15408: Evaluation criteria for IT securityProvides a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation.Defines classes of requirement and dependencies between them.ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01
اسلاید 25: ISO/IEC 18045: Methodology for IT security evaluationDefines methodology for IT security evaluation based on Evaluation Assurance Level(EAL) defined in ISO/IEC 15408.This International Standard recognizes three mutually exclusive verdict states:Conditions for a pass verdictConditions for an inconclusive verdictConditions for a fail verdictISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation, Second edition 2008-08-15
اسلاید 26:
اسلاید 27: My frameworkPerforms security test of web application under test automatically.Uses automatic scanners for testing.Uses the result of security test is for security evaluation of web applicationOptimizes security metric for automated security evaluation. Gives a security level to the web application.
اسلاید 28: Framework ArchitectureAgent based architecture is selected for distributing tasks between agents.Test Runtime Environment Agent is the central part of architecture. It is responsible for managing and coordinating other agentsTest Script Generator Agent, crawls the web application under test. Generates test Script for every injection point.Test code Generator agent, develops and compiles the test scripts. Test Executer Agent, gets the executable script and runs it. Then returns the results to TREA.Result analyzer agent, gets the total results, analyze it and assess security level of web application
اسلاید 29: Evaluation …After performing security test, results are used for evaluating.The steps of evaluating is as follows:Study web application characteristics.Study previous works for choosing or adapting metrics.
اسلاید 30: Evaluation ...Metrics must have two characteristics:Be relevant to the security of web applicationsBe measurable with the results of testing.Determine how to measure selected metricsAssign weights to these metrics based on published statistical results and experts viewpointSpecify number of security levels
اسلاید 31: EvaluationGive a definition for each security level and specify security requirements of each levelSpecify the set of metrics relevant to each level and the required range of them.Assign a security level to the system under test.
اسلاید 32: Thanks for your attention.
نقد و بررسی ها
هیچ نظری برای این پاورپوینت نوشته نشده است.