Reducing Attack Surface of a Web Application by Open Web Application Security Project Compliance
Abstract
The attack surface of a system is the amount of application area that is exposed to the adversaries. The overall vulnerability can be reduced by reducing the attack surface of a web application. In this paper, we have considered the web components of two versions of an in-house developed project management web application and the attack surface has been calculated prior and post open web application security project (OWASP) compliance based on a security audit to determine and then compare the security of this Project Management Application. OWASP is an open community to provide free tools and guidelines for application security. It was observed that the attack surface of the software reduced by 45 per cent once it was made OWASP compliant. The vulnerable surface exposed by the code even after OWASP compliance was due to the mandatory access points left in the software to ensure accessibility over a network.
Defence Science Journal, 2012, 62(5), pp.324-330, DOI:http://dx.doi.org/10.14429/dsj.62.1291
References
Fenton, Norman E. & Neil, Martin. A critique of software defect prediction models. IEEE Trans. Softw. Eng. 1999, 25(5), 675-89.
OWASP 2007, The ten most critical web application security vulnerabilities 2007 update, https://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf (accessed on 16 August 2012)
Heumann, Thomas; Türpe, Sven & Keller, Jörg. Quantifying the attack surface of a web application. In Proceedings of Sicherheit’2010, July 2011, LNI, 170, pp.305-316,
Measuring web application security coverage. http://fanaticmedia.com/infosecurity/archive/April 11/MeasuringWebAppSec Coverage final.htm (Accessed on April 2011)
scitz, Justin & Niem, Joey. Analyzing attack surface code coverage. 2007, SANS Institute , http://www.sans.org/reading_room/whitepapers/application/analyzingattack-surface-code-coverage_1996, (Accessed on 16 August 2012)
Y onghee, Shin; Andrew, Meneely; Laurie ,Williams and Jason, A. Osborne. 2011. Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities. IEEE Trans. Softw. Eng. 2011, 37(6), 772-87.
Walden, J. & Doyle, M. SAVI: Static-analysis vulnerability indicator. IEEE Security Privacy, 2012, 10(3), 32-39.
Manadhata, P.K. & Wing, J.M. An Attack Surface Metric. IEEE Trans. Software Eng., 2011, 37(3), 371-86.
Howard, M. Fending off future attacks by reducing attack surface. http://msdn.microsoft.com/library/default. asp? url=/library/en-us/dncode html/secure02132003. asp, 2003. (Accessed on 16 August 2012)
Howard, M.; Pincus, J. & Wing, J. Measuring relative attack surfaces. In Proceedings of Workshop on Advanced Developments in Software and Systems Security, 2003
Manadhata, Pratyusa K., Tan Kymie M.C., Maxion, Roy A. & Wing Jeannette M. An approach to measuring a system’s attack surface. Aug-2007, http://reportsarchive.
adm.cs.cmu.edu/anon/2007/CMU-CS-07-146. pdf (Accessed on August 2012)
Ha Thanh, Le & Loh, P.K.K. Evaluating AVDL descriptions for web application vulnerability analysis. In IEEE International Conference on Intelligence and Security Informatics, ISI 2008. 17-20 June 2008. pp.279-281.
Web application security fundamentals. http://msdn.microsoft.com/en-us/library/ff648636.aspx (Accessed on September 2011).
Lee, Vincent C.S. & Shao, Linyi. Estimating potential IT security losses: An alternative quantitative approach. IEEE Security Privacy, 2011, 4(6), 44-52.
Web application development, www.icreonglobal. com/web-application-development.html, (Accessed on July 2011).
Manadhata, P. & Wing, J. An attack surface metric, in First Workshop on Security Metrics, Vancouver, BC, August 2011.
About internet application and web application server, http://livedocs.adobe.com/ coldfusion8/htmldocs/help. html?content=introducing-cf-2.html. (Accessed in
September 2011).
Attacking web applications at the source. http://networksecurity.org.ua/0596007949/networkst-chp-6-sect-1.html. (Accessed on July 2011).
Lv, Teng & Yan, Ping. A web security solution based on XML technology. In International Conference on Communication Technology, 2006. ICCT ‘06, 27-30 Nov. 2006, pp.1-4.
Manadhata, P.K.; Karabulut, Y. & Wing, J.M. Report: Measuring the attack surfaces of enterprise software. In ESSoS 09: Proceedings of the 1st International Symposium on Engineering Secure Software and Systems (Berlin, Heidelberg, 2009), Springer-Verlag,
pp. 91–100, September 2011.
Manadhata , Pratyusa; Wing , Jeannette; Flynn, Mark & McQueen, Miles. Measuring the attack surfaces of two FTP daemons. In Proceedings of the 2nd ACM workshop on Quality of protection, 2006, Virginia, USA, October 2011.
Mitigate Security risks by minimizing the code you expose to untrusted users. msdn.microsoft.com/en-us/magazine/cc163882.aspx, August 2011.
Shar, Lwin Khin & Tan, Hee Beng Kuan. Defending against cross-site scripting attacks. Computer, 2012, 45(3), 55-62.
Siddiqui, M.S. & Verma, D. Cross site request forgery: A common web application weakness. In IEEE 3rd International Conference on Communication Software and Networks (ICCSN), 2011 May 2011, pp. 538-43.
Boyan, Chen; Zavarsky, P.; Ruhl, R. & Lindskog, D. A study of the effectiveness of CSRF guard. In IEEE 3rd international conference on social computing (socialcom), 9-11 Oct. 2011. pp.1269-272.
Munakata, S. & Hiji, M. A session management method to improve web applications usability on mobile network. In IEEE Region 10 Conference, TENCON 2006. 14-17 Nov. 2006. pp.1-4.
Where otherwise noted, the Articles on this site are licensed under Creative Commons License: CC Attribution-Noncommercial-No Derivative Works 2.5 India