Securing Web Applications: Techniques and Challenges

Marco Vieirais

Abstract


Software security is nowadays a hot research topic, particularly in the Web domain. In fact, due to the impressive growth of the Internet and of Web applications, software security has become one vital concern in any information infrastructure. This paper discusses key techniques for security testing and assessment, providing the basis for understanding existing research challenges on developing and deploying secure Web applications. 


Keywords


Security; Web applications; Vulnerabilities; Benchmarking; Secure Processes

References


D. Stuttard and M. Pinto, The web application hacker’s handbook: discovering and exploiting security flaws. Wiley Publishing, Inc., 2007.

G. McGraw and B. Potter, “Software Security Testing,” IEEE Security and Privacy, vol. 2, no. 5, pp. 81–85, 2004.

S. Christey and R. A. Martin, “Vulnerability type distributions in CVE,” V1. 0, vol. 10, p. 04, 2006.

A. Stock, J. Williams, and D. Wichers, “OWASP Top 10,” 2007.

A. Singhal, T. Winograd, and K. Scarfone, “Guide to Secure Web Services: Recommendations of the National Institute of Standards and Technology,” Report, National Institute of Standards and Technology,

US Department of Commerce, pp. 800–95, 2007.

OWASP Foundation, “OWASP Application Security FAQ Version 3,” 2010.

N. Antunes and M. Vieira, “Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services,” in 15th IEEE Pacific Rim International Symposium on Dependable Computing, 2009. PRDC ’09, Shanghai, China, 2009, pp. 301–306.

J. Carreira, H. Madeira, and J. G. Silva, “Xception: A technique for the experimental evaluation of dependability in modern computers,” IEEE Transactions on Software Engineering, vol. 24, no. 2, pp. 125–136, 1998.

M. Rodríguez, F. Salles, J.-C. Fabre, and J. Arlat, “MAFALDA: Microkernel Assessment by Fault Injection and Design Aid.,” in EDCC, 1999, vol. 1667, pp. 143–160.

J. A. Duraes and H. S. Madeira, “Emulation of Software Faults: A Field Data Study and a Practical Approach,” IEEE Transactions on Software Engineering, vol. 32, no. 11, pp. 849–867, 2006.

J. Durães and H. Madeira, “Definition of Software Fault Emulation Operators: A Field Data Study.,” in DSN, 2003, pp. 105–114.

J. Fonseca and M. Vieira, “Mapping software faults with web security vulnerabilities,” presented at the IEEE International Conference on Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008., 2008, pp. 257–266.

N. Neves, J. Antunes, M. Correia, P. Verissimo, and R. Neves, “Using Attack Injection to Discover New Vulnerabilities,” in International Conference on Dependable Systems and Networks, 2006. DSN 2006, 2006, pp. 457–466.

J. Fonseca, M. Vieira, and H. Madeira, “Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks,” in 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), Melbourne, Australia, 2007, pp. 365–372.

J. Fonseca, M. Vieira, and H. Madeira, “Vulnerability & attack injection for web applications,” in IEEE/IFIP International Conference on Dependable Systems & Networks, 2009. DSN ’09, 2009, pp. 93–102.

J. Gray, Benchmark Handbook: For Database and Transaction Processing Systems. San Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 1992.

K. Kanoun and L. Spainhower, Dependability Benchmarking for Computer Systems. Wiley-IEEE Computer Society Pr, 2008.

Commission of the European Communities, The IT Security Evaluation Manual (ITSEM). 1993.

P. K. Infrastructure and T. P. Profile, “Common Criteria for Information Technology Security Evaluation,” 2002.

L. Qiu, Y. Zhang, F. Wang, M. Kyung, and H. R. Mahajan, “Trusted computer system evaluation criteria,” in National Computer Security Center, 1985.

Sandia National Laboratories, “Information Operations Red Team and AssessmentsTM.”

R. A. Maxion and K. M. C. Tan, “Benchmarking anomaly-based detection systems,” in Proceedings International Conference on Dependable Systems and Networks, 2000. DSN 2000, 2000, pp. 623 – 630.

“Center for Internet Security.”

M. Vieira and H. Madeira, “Towards a security benchmark for database management systems,” in International Conference on Dependable Systems and Networks, 2005. DSN 2005., Yokohama, Japan, 2005, pp. 592 – 601.

A. A. Neto and M. Vieira, “Towards assessing the security of DBMS configurations,” in IEEE International Conference on Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008, 2008, pp. 90 –95.

A. A. Neto and M. Vieira, “A Trust-Based Benchmark for DBMS Configurations,” in 15th IEEE Pacific Rim International Symposium on Dependable Computing, 2009. PRDC ’09, 2009, pp. 143 –150.

A. A. Neto and M. Vieira, “Benchmarking Untrustworthiness,”

International Journal of Dependable and Trustworthy Information

Systems, vol. 1, no. 2, pp. 32–54, 32 2010.

C. Ghezzi, M. Jazayeri, and D. Mandrioli, Fundamentals of software engineering. Prentice Hall PTR Upper Saddle River, NJ, USA, 2002.

G. McGraw, Software Security: Building Security In. Addison-Wesley Professional, 2006.

M. Howard and D. E. Leblanc, Writing Secure Code, 2nd ed. Redmond, Washington: Microsoft Press, 2002.




DOI: https://doi.org/10.17648/enig.v1i1.21

Refbacks

  • There are currently no refbacks.




Licença Creative Commons
This site is licensed with the Creative Commons Atribuição-NãoComercial-SemDerivações 4.0 Internacional

RENASIC Logo1 Logo2 Logo3