Razieh Rezaei Saleh

Supervisor: Dr. Mohsen Kahani

This framework: Tests a web application from the

viewpoint of security issues. Uses the result of security test is for

security evaluation of web application Optimizes security metric for

automated security evaluation. Gives a security level to the web

application.

Is the process of determining how much a system is secure.

Security evaluation needs information gathered from human and testing tools.

First step in security evaluation is security testing.

The Process to determine that an IS (Information System) protects data and maintains functionality as intended.

The six basic security concepts that need to be covered by security testing are: Confidentiality Integrity Authentication Authorization Availability non-repudiation

Because of globalization of web and being of internet as the major tool for international information exchange, security of web application is becoming more and more important.

Web applications are very much vulnerable to DOS attacks or security and access compromise.

Automated testing tools are vital because of growth in web application’s extension and complication.

There are two types for security test: Static:

▪ Analyzes the source code for security defects▪ Known as white box security test▪ Needs source code

Dynamic:▪ Elicits vulnerabilities by sending malicious

requests, and investigating replies▪ When source code is not available▪ Tester looks at the application from the attacker’s

perspective▪ Analyzes only applications deployed in test or

production environments

There is eight security tool categories: source code analyzers, web application (black-box) scanners, database scanners, binary analysis tools, runtime analysis tools, configuration management tools, HTTP proxies, miscellaneous tools.

In an automated security test, there are three fundamental steps: Discovering new URLs and forms by

crawling Creating test script with crafted data Sending malicious request to the web

application Analyzing response to detecting

vulnerabilities Exploit vulnerabilities

Is the process of determining how much a system is secure.

Security evaluation needs information gathered from human and testing tools.

For evaluation we need security metrics and measures.

Web application security consortium: Threat Classification (WACS TC)

Web Application Security Statistics Project (WASSP)

A Metrics Framework to Drive Application Security Improvement

Common Vulnerability Scoring System (CVSS)

ISO/IEC 15408: Evaluation criteria for IT security

ISO/IEC 18045: Methodology for IT security evaluation

Identify all known web application security classes of attack.

Agree on naming for each class of attack.

Develop a structured manner to organize the classes of attack.

Develop documentation that provides generic descriptions of each class of attack.

Web Application Security Consortium: Threat Classification, version 1.00

Six security classes of attack:Authentication AuthorizationClient-side AttacksCommand Execution Information DisclosureLogical Attacks

Web Application Security Consortium: Threat Classification, version 1.00

Identify the prevalence and probability of different vulnerability classes

Compare testing methodologies against that types of vulnerabilities they are likely to identify.

The statistics includes two different data sets: automated testing results security assessment results made using

black and white box methodologyWeb Application Security Consortium: Web Application Security Statistics

Project, 2007

Consequently 3 data sets were obtained:1. Overall statistics2. Automated scanning statistics3. Black and white box methods security assessment statistics

Web Application Security Consortium: Web Application Security Statistics Project, 2007

The probability distribution of vulnerabilities detection according to WASC TCv1 classes (BlackBox & WhiteBox)

The probability distribution of vulnerabilities detection according to WASC TCv1 classes

Break an application’s lifecycle into three main phases: design, deployment, runtime.

Organize metrics according to life cycle in addition to OWASP type

Nichols, E.A., Peterson, G., A Metrics Framework to Drive Application Security Improvement, IEEE Symp. Security and Privacy, Volume 5, Issue

2, March-April 2007

OWASP Most serious web application vulnerabilities:

1. Unvalidated input2. Broken access control3. Broken authentication and session

management4. Cross-site scripting5. Buffer overflow6. Injection flaws7. Improper error handling8. Insecure storage9. Application denial of service10.Insecure configuration managementOpen Web Application Security Project (OWASP)- The ten most critical web

application security vulnerabilities,2007

The Common Vulnerability Scoring System (CVSS) is an open framework that offers the following benefits: Standardized Vulnerability Scores Open Framework Prioritized Risk

Common Vulnerability Scoring System, Version 2.0, June 2007

CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics.

Represents the intrinsic and fundamental characteristics of a vulnerability that are

constant over time and user environments.

Represents the characteristics of a vulnerability that change over time but not

amonguser environments.

Represents the characteristics of a vulnerability that are relevant and unique to a

particular user’s environment.

When the base metrics are assigned values, the base equation calculates a score ranging from 0 to 10

This standard consists of the following parts: Part 1: Introduction and general model Part 2: Security functional requirements Part 3: Security assurance requirements

It contains criteria for evaluation of security requirements.

ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01

Provides a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation.

Defines classes of requirement and dependencies between them.

ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01

Defines methodology for IT security evaluation based on Evaluation Assurance Level(EAL) defined in ISO/IEC 15408.

This International Standard recognizes three mutually exclusive verdict states: Conditions for a pass verdict Conditions for an inconclusive verdict Conditions for a fail verdict

ISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation, Second edition 2008-08-15

Performs security test of web application under test automatically.

Uses automatic scanners for testing. Uses the result of security test is for

security evaluation of web application Optimizes security metric for

automated security evaluation. Gives a security level to the web

application.

Agent based architecture is selected for distributing tasks between agents.

Test Executer Agent

Test Script Generator

Web Application

Information Flow Direct Interaction

Control Flow

HTML

RMI

RMI

RMI

RMI Database

SQL

Result Analyzer Agent

Test Runtime Environment

Test Code Generator Agent

Test Runtime Environment Agent is the central part of architecture. It is responsible for managing and coordinating other agents

Test Script Generator Agent, crawls the web application under test. Generates test Script for every injection point.

Test code Generator agent, develops and compiles the test scripts.

Test Executer Agent, gets the executable script and runs it. Then returns the results to TREA.

Result analyzer agent, gets the total results, analyze it and assess security level of web application

After performing security test, results are used for evaluating.

The steps of evaluating is as follows:Study web application

characteristics.Study previous works for choosing or

adapting metrics.

Metrics must have two characteristics: Be relevant to the security of web

applications Be measurable with the results of testing.

Determine how to measure selected metrics

Assign weights to these metrics based on published statistical results and experts' viewpoint

Specify number of security levels

Give a definition for each security level and specify security requirements of each level

Specify the set of metrics relevant to each level and the required range of them.

Assign a security level to the system under test.