Razieh Rezaei Saleh
Supervisor: Dr. Mohsen Kahani
This framework: Tests a web application from the
viewpoint of security issues. Uses the result of security test is for
security evaluation of web application Optimizes security metric for
automated security evaluation. Gives a security level to the web
application.
Is the process of determining how much a system is secure.
Security evaluation needs information gathered from human and testing tools.
First step in security evaluation is security testing.
The Process to determine that an IS (Information System) protects data and maintains functionality as intended.
The six basic security concepts that need to be covered by security testing are: Confidentiality Integrity Authentication Authorization Availability non-repudiation
Because of globalization of web and being of internet as the major tool for international information exchange, security of web application is becoming more and more important.
Web applications are very much vulnerable to DOS attacks or security and access compromise.
Automated testing tools are vital because of growth in web application’s extension and complication.
There are two types for security test: Static:
▪ Analyzes the source code for security defects▪ Known as white box security test▪ Needs source code
Dynamic:▪ Elicits vulnerabilities by sending malicious
requests, and investigating replies▪ When source code is not available▪ Tester looks at the application from the attacker’s
perspective▪ Analyzes only applications deployed in test or
production environments
There is eight security tool categories: source code analyzers, web application (black-box) scanners, database scanners, binary analysis tools, runtime analysis tools, configuration management tools, HTTP proxies, miscellaneous tools.
In an automated security test, there are three fundamental steps: Discovering new URLs and forms by
crawling Creating test script with crafted data Sending malicious request to the web
application Analyzing response to detecting
vulnerabilities Exploit vulnerabilities
Is the process of determining how much a system is secure.
Security evaluation needs information gathered from human and testing tools.
For evaluation we need security metrics and measures.
Web application security consortium: Threat Classification (WACS TC)
Web Application Security Statistics Project (WASSP)
A Metrics Framework to Drive Application Security Improvement
Common Vulnerability Scoring System (CVSS)
ISO/IEC 15408: Evaluation criteria for IT security
ISO/IEC 18045: Methodology for IT security evaluation
Identify all known web application security classes of attack.
Agree on naming for each class of attack.
Develop a structured manner to organize the classes of attack.
Develop documentation that provides generic descriptions of each class of attack.
Web Application Security Consortium: Threat Classification, version 1.00
Six security classes of attack:Authentication AuthorizationClient-side AttacksCommand Execution Information DisclosureLogical Attacks
Web Application Security Consortium: Threat Classification, version 1.00
Identify the prevalence and probability of different vulnerability classes
Compare testing methodologies against that types of vulnerabilities they are likely to identify.
The statistics includes two different data sets: automated testing results security assessment results made using
black and white box methodologyWeb Application Security Consortium: Web Application Security Statistics
Project, 2007
Consequently 3 data sets were obtained:1. Overall statistics2. Automated scanning statistics3. Black and white box methods security assessment statistics
Web Application Security Consortium: Web Application Security Statistics Project, 2007
The probability distribution of vulnerabilities detection according to WASC TCv1 classes (BlackBox & WhiteBox)
The probability distribution of vulnerabilities detection according to WASC TCv1 classes
Break an application’s lifecycle into three main phases: design, deployment, runtime.
Organize metrics according to life cycle in addition to OWASP type
Nichols, E.A., Peterson, G., A Metrics Framework to Drive Application Security Improvement, IEEE Symp. Security and Privacy, Volume 5, Issue
2, March-April 2007
OWASP Most serious web application vulnerabilities:
1. Unvalidated input2. Broken access control3. Broken authentication and session
management4. Cross-site scripting5. Buffer overflow6. Injection flaws7. Improper error handling8. Insecure storage9. Application denial of service10.Insecure configuration managementOpen Web Application Security Project (OWASP)- The ten most critical web
application security vulnerabilities,2007
The Common Vulnerability Scoring System (CVSS) is an open framework that offers the following benefits: Standardized Vulnerability Scores Open Framework Prioritized Risk
Common Vulnerability Scoring System, Version 2.0, June 2007
CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics.
Represents the intrinsic and fundamental characteristics of a vulnerability that are
constant over time and user environments.
Represents the characteristics of a vulnerability that change over time but not
amonguser environments.
Represents the characteristics of a vulnerability that are relevant and unique to a
particular user’s environment.
When the base metrics are assigned values, the base equation calculates a score ranging from 0 to 10
This standard consists of the following parts: Part 1: Introduction and general model Part 2: Security functional requirements Part 3: Security assurance requirements
It contains criteria for evaluation of security requirements.
ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01
Provides a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation.
Defines classes of requirement and dependencies between them.
ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01
Defines methodology for IT security evaluation based on Evaluation Assurance Level(EAL) defined in ISO/IEC 15408.
This International Standard recognizes three mutually exclusive verdict states: Conditions for a pass verdict Conditions for an inconclusive verdict Conditions for a fail verdict
ISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation, Second edition 2008-08-15
Performs security test of web application under test automatically.
Uses automatic scanners for testing. Uses the result of security test is for
security evaluation of web application Optimizes security metric for
automated security evaluation. Gives a security level to the web
application.
Agent based architecture is selected for distributing tasks between agents.
Test Executer Agent
Test Script Generator
Web Application
Information Flow Direct Interaction
Control Flow
HTML
RMI
RMI
RMI
RMI Database
SQL
Result Analyzer Agent
Test Runtime Environment
Test Code Generator Agent
Test Runtime Environment Agent is the central part of architecture. It is responsible for managing and coordinating other agents
Test Script Generator Agent, crawls the web application under test. Generates test Script for every injection point.
Test code Generator agent, develops and compiles the test scripts.
Test Executer Agent, gets the executable script and runs it. Then returns the results to TREA.
Result analyzer agent, gets the total results, analyze it and assess security level of web application
After performing security test, results are used for evaluating.
The steps of evaluating is as follows:Study web application
characteristics.Study previous works for choosing or
adapting metrics.
Metrics must have two characteristics: Be relevant to the security of web
applications Be measurable with the results of testing.
Determine how to measure selected metrics
Assign weights to these metrics based on published statistical results and experts' viewpoint
Specify number of security levels
Give a definition for each security level and specify security requirements of each level
Specify the set of metrics relevant to each level and the required range of them.
Assign a security level to the system under test.