A Framework for Automated Web Application Security Evaluation

صفحه 1:
Razieh Rezaei Saleh ahani 

صفحه 2:
A Framework for Automated Web Application Security Evaluation This framework: Tests a web application from the viewpoint of security issues. Uses the result of security test is for security evaluation of web application Optimizes security metric for automated security evaluation. Gives a security level to the web application. 

صفحه 3:
Security Evaluation Is the process of determining how much a system is secure. Security evaluation needs information gathered from human and testing tools. First step in security evaluation is security testing. 

صفحه 4:
Security Testing The Process to determine that an IS (Information System) protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: Confidentiality Integrity Authentication Authorization Availability non-repudiation 

صفحه 5:
Why Web Applications? Because of globalization of web and being of internet as the major tool for international information exchange, security of web application is becoming more and more important. Web applications are very much vulnerable to DOS attacks or security and access compromise. Automated testing tools are vital because of growth in web application’s extension and complication. 

صفحه 6:
6 ا There are two types for security test: * Static: Analyzes the source code for security defects Known as white box security test Needs source code * Dynamic: Elicits vulnerabilities by sending malicious requests, and investigating replies When source code is not available Tester looks at the application from the attacker’s perspective Analyzes only applications deployed in test or production environments 

صفحه 7:
Security testing tools There is eight security tool categories: = source code analyzers, = web application (black-box) scanners, * database scanners, * binary analysis tools, = runtime analysis tools, = configuration management tools, " HTTP proxies, = miscellaneous tools. 

صفحه 8:
EXAMPLE TOOLS LIFE-CYCLE PHASE Commercial Predeployment SPI Dynamics Weblnspect (wwwv.spidynamics.com/products/ | Postdeployment index.html) Sanctum AppScan (www.watchfire.com/securityzone/product/ appscansix.aspx) Free/open source: OWASP WebScarab (vnvw.owasp.org/software/webscarab.html) OWASP Berretta (www.devcafe.co.uk/beretta/index.htm) Nikto (www.cirt net/code/nikto.shtm!) Wikto (Wwww.sensepost.com/research/\wikto) EOR (mww.sensepost.com/research/eor) Spike (ww.immunitysec.com/resources-freesoftware.shtm)) TOOL TYPE Web application (black-box) scanners 

صفحه 9:
Automated security testing tool In an automated security test, there are three fundamental steps: Discovering new URLs and forms by crawling Creating test script with crafted data Sending malicious request to the web application Analyzing response to detecting vulnerabilities Exploit vulnerabilities 

صفحه 10:
Security evaluation Is the process of determining how much a system is secure. Security evaluation needs information gathered from human and testing tools. For evaluation we need security metrics and measures. 

صفحه 11:
Related works Web application security consortium: Threat Classification (WACS TC) Web Application Security Statistics Project (wasse) A Metrics Framework to Drive Application Security Improvement Common Vulnerability Scoring System (CVSS) ISO/IEC 15408: Evaluation criteria for IT security ISO/IEC 18045: Methodology for IT security evaluation 

صفحه 12:
Threat Classification Identify all known web application security classes of attack. Agree on naming for each class of attack. Develop a structured manner to organize the classes of attack. Develop documentation that provides generic descriptions of each class of attack. Web Application Security Consortium: Threat Classification, version 1.00 

صفحه 13:
Threat Classification Six security classes of attack: Authentication Authorization Client-side Attacks Command Execution Information Disclosure Logical Attacks Web Application Security Consortium: Threat Classification, version 1.00 

صفحه 14:
Web Application Security Statistics ۳۳۵» Identify the prevalence and probability of different vulnerability classes Compare testing methodologies against that types of vulnerabilities they are likely to identify. The statistics includes two different data sets: " automated testing results " security assessment results made using black and white box methodology Web Application Security Consortium: Web Application Security Statistics Project, 2007 

صفحه 15:
Web Application Security Statistics Project Consequently 3 data sets were obtained: 1. Overall statistics 2. Automated scanning statistics 3. Black and white box methods security assessment statistics Web Application Security Consortium: Web Application Security Statistics Project, 2007 

صفحه 16:
Web Application Security Statistics Project The probability distribution of vulnerabilities detection according to WASC TCv1 classes (BlackBox & WhiteBox) 

صفحه 17:
The probability distribution of vulnerabilities detection according to WASC TCv1 classes 

صفحه 18:
A Metrics Framework to Drive Application Security Improvement Break an application’s lifecycle into three main phases: * design, " deployment, * runtime. Organize metrics according to life cycle in addition to OWASP type Nichols, E.A., Peterson, G., A Metrics Framework to Drive Application Security Improvement, IEEE Symp. Security and Privacy, Volume 5, Issue 

صفحه 19:
OWASP Top Ten Vulnerabilities OWASP Most serious web application vulnerabilities: Unvalidated input Broken access control Broken authentication and session management Cross-site scripting Buffer overflow Injection flaws Improper error handling Insecure storage Application denial of service Open Was SSHrSice afi: 9 most critical web application security vulnerabilities,2007 

صفحه 20:
Common Vulnerability Scoring System (CVSS) The Common Vulnerability Scoring System (CVSS) is an open framework that offers the following benefits: * Standardized Vulnerability Scores " Open Framework * Prioritized Risk Common Vulnerability Scoring System, Version 2.0, June 2007 

صفحه 21:
Common Vulnerability Scoring System (CVSS) CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics. Base \{ Temporal) ( Environmental Metric Group Metric Group Metric Group Peete) 022 | | ‏أن سا‎ impact) = *« ‏تس سس‎ (access complexity 0 _ Distribution 2 000 ‘Report’ اسعسعت ا اسر سس ۳ ل تن 8 تلع مک قن ني إن بن انه كما اه ماجنا واه روطنامه اه زانا روف نها ‎Vu‏ ‎constantartieutanesardoari remirenments.‏ 

صفحه 22:
Common Vulnerability Scoring System (CVSS) When the base metrics are assigned values, the base equation calculates a score ranging from 0 to 10 LELE == ‎Xs) STD flys Yor = Ya)‏ دروك ‎ ‎Optional ‎ 

صفحه 23:
ISO/IEC 15408: AVL elena gia Mol m Mele] gia This standard consists of the following parts: * Part 1: Introduction and general model * Part 2: Security functional requirements * Part 3: Security assurance requirements It contains criteria for evaluation of security requirements. ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01 

صفحه 24:
ISO/IEC 154.08: Evaluation criteria for IT security Provides a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation. Defines classes of requirement and dependencies between them. ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01 

صفحه 25:
ISO/IEC 18045: Methodology for IT security evaluation Defines methodology for IT security evaluation based on Evaluation Assurance Level(EAL) defined in ISO/IEC 15408. This International Standard recognizes three mutually exclusive verdict states: " Conditions for a pass verdict * Conditions for an inconclusive verdict * Conditions for a fail verdict ISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation, Second edition 2008-08-15 

صفحه 26:
Evaluation Result Assurance Class Assurance Component. (a (۳ 5 Evaluator Action Element 

صفحه 27:
My framework Performs security test of web application under test automatically. Uses automatic scanners for testing. Uses the result of security test is for security evaluation of web application Optimizes security metric for automated security evaluation. Gives a security level to the web application. 

صفحه 28:
Framework Architecture t Result Analyzer Test [= af 2 aly ۳ xp It Test Runtime ۳ Environment Gregus ‏و‎ a 2 Test Script aguas ab 7 ۳ Generator 1 1 r Test Code ‏كأمة وم ع8‎ Generator Agent injection < pia 

صفحه 29:
Evaluation... After performing security test, results are used for evaluating. The steps of evaluating is as follows: Study web application characteristics. Study previous works for choosing or adapting metrics. 

صفحه 30:
Evaluation... Metrics must have two characteristics: * Be relevant to the security of web applications * Be measurable with the results of testing. Determine how to measure selected metrics Assign weights to these metrics based on published statistical results and experts' viewpoint Specify number of security levels 

صفحه 31:
Evaluation Give a definition for each security level and specify security requirements of each level Specify the set of metrics relevant to each level and the required range of them. Assign a security level to the system under test. 

صفحه 32:
Thanks for your attention. 

Razieh Rezaei Saleh Supervisor: Dr. Mohsen Kahani This framework:  Tests a web application from the viewpoint of security issues.  Uses the result of security test is for security evaluation of web application  Optimizes security metric for automated security evaluation.  Gives a security level to the web application.  Is the process of determining how much a system is secure.  Security evaluation needs information gathered from human and testing tools.  First step in security evaluation is security testing.  The Process to determine that an IS (Information System) protects data and maintains functionality as intended.  The six basic security concepts that need to be covered by security testing are:       Confidentiality Integrity Authentication Authorization Availability non-repudiation  Because of globalization of web and being of internet as the major tool for international information exchange, security of web application is becoming more and more important.  Web applications are very much vulnerable to DOS attacks or security and access compromise.  Automated testing tools are vital because of growth in web application’s extension and complication.  There are two types for security test:  Static: ▪ Analyzes the source code for security defects ▪ Known as white box security test ▪ Needs source code  Dynamic: ▪ Elicits vulnerabilities by sending malicious requests, and investigating replies ▪ When source code is not available ▪ Tester looks at the application from the attacker’s perspective ▪ Analyzes only applications deployed in test or production environments  There         is eight security tool categories: source code analyzers, web application (black-box) scanners, database scanners, binary analysis tools, runtime analysis tools, configuration management tools, HTTP proxies, miscellaneous tools.  In an automated security test, there are three fundamental steps:  Discovering new URLs and forms by     crawling Creating test script with crafted data Sending malicious request to the web application Analyzing response to detecting vulnerabilities Exploit vulnerabilities  Is the process of determining how much a system is secure.  Security evaluation needs information gathered from human and testing tools.  For evaluation we need security metrics and measures.  Web application security consortium: Threat Classification (WACS TC)  Web Application Security Statistics Project (WASSP)  A Metrics Framework to Drive Application Security Improvement  Common Vulnerability Scoring System (CVSS)  ISO/IEC 15408: Evaluation criteria for IT security  ISO/IEC 18045: Methodology for IT security evaluation  Identify all known web application security classes of attack.  Agree on naming for each class of attack.  Develop a structured manner to organize the classes of attack.  Develop documentation that provides generic descriptions of each class of attack. Web Application Security Consortium: Threat Classification, version 1.00 Six security classes of attack:  Authentication  Authorization  Client-side Attacks  Command Execution  Information Disclosure  Logical Attacks Web Application Security Consortium: Threat Classification, version 1.00  Identify the prevalence and probability of different vulnerability classes  Compare testing methodologies against that types of vulnerabilities they are likely to identify.  The statistics includes two different data sets:  automated testing results  security assessment results made using black and white box methodology Web Application Security Consortium: Web Application Security Statistics Project, 2007  Consequently 3 data sets were obtained: 1. Overall statistics 2. Automated scanning statistics 3. Black and white box methods security assessment statistics Web Application Security Consortium: Web Application Security Statistics Project, 2007  The probability distribution of vulnerabilities detection according to WASC TCv1 classes (BlackBox & WhiteBox) The probability distribution of vulnerabilities detection according to WASC TCv1 classes  Break an application’s lifecycle into three main phases:  design,  deployment,  runtime.  Organize metrics according to life cycle in addition to OWASP type Nichols, E.A., Peterson, G., A Metrics Framework to Drive Application Security Improvement, IEEE Symp. Security and Privacy, Volume 5, Issue OWASP Most serious web application vulnerabilities: 1. Unvalidated input 2. Broken access control 3. Broken authentication and session management 4. Cross-site scripting 5. Buffer overflow 6. Injection flaws 7. Improper error handling 8. Insecure storage 9. Application denial of service 10.Insecure configuration management Open Web Application Security Project (OWASP)- The ten most critical web application security vulnerabilities,2007  The Common Vulnerability Scoring System (CVSS) is an open framework that offers the following benefits:  Standardized Vulnerability Scores  Open Framework  Prioritized Risk Common Vulnerability Scoring System, Version 2.0, June 2007  CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics. Represents thecharacteristics characteristics Represents Represents the the intrinsic and fundamental ofofa a vulnerability over not vulnerability characteristics thatthat are of achange relevant vulnerability andtime unique thatbut areto a among constant .particular over time user’s and user environment environments.  When the base metrics are assigned values, the base equation calculates a score ranging from 0 to 10  This standard consists of the following parts:  Part 1: Introduction and general model  Part 2: Security functional requirements  Part 3: Security assurance requirements  It contains criteria for evaluation of security requirements. ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01  Provides a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation.  Defines classes of requirement and dependencies between them. ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01  Defines methodology for IT security evaluation based on Evaluation Assurance Level(EAL) defined in ISO/IEC 15408.  This International Standard recognizes three mutually exclusive verdict states:  Conditions for a pass verdict  Conditions for an inconclusive verdict  Conditions for a fail verdict ISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation, Second edition 2008-08-15  Performs security test of web application under test automatically.  Uses automatic scanners for testing.  Uses the result of security test is for security evaluation of web application  Optimizes security metric for automated security evaluation.  Gives a security level to the web application. Web Application  Result Test Test Runtime Agent based Test Test Script code analyzer Environment Executer architecture Generator Generator agent, Agent Agent, isgets gets the is selected Agent, agent, the central the part of fortotal crawls develops the and results, architecture. executable distributing web compiles the It analyze is script responsible and it and tasks application test scripts. assess for runs managing it.test. Then between under security and returns level agents.the Generates of coordinating results web to for test Script application other TREA.agents every injection HTML Result Analyzer Agent Test Executer Agent RMI RMI Test Runtime Environment RMI SQL Database RMI Test Code Generator Agent Control Flow Information Flow Direct Interaction Test Script Generator After performing security test, results are used for evaluating. The steps of evaluating is as follows:  Study web application characteristics.  Study previous works for choosing or adapting metrics.  Metrics must have two characteristics:  Be relevant to the security of web applications  Be measurable with the results of testing.  Determine how to measure selected metrics  Assign weights to these metrics based on published statistical results and experts' viewpoint  Specify number of security levels  Give a definition for each security level and specify security requirements of each level  Specify the set of metrics relevant to each level and the required range of them.  Assign a security level to the system under test.