Reducing Attack Surface of a Web Application by Open Web Application Security Project Compliance

Sumit Goswami; Nabanita R Krishnan; Mukesh Verma; Saurabh Swarnkar; Pallavi Mahajan

doi:10.14429/dsj.62.1291

Sumit Goswami Directorate of Management Information System & Technologies, DRDO, New Delhi
Nabanita R Krishnan Directorate of Management Information System & Technologies, DRDO, New Delhi
Mukesh Verma Directorate of Management Information System & Technologies, DRDO, New Delhi
Saurabh Swarnkar IAP Company Pvt Ltd, Gurgaon
Pallavi Mahajan Beant College of Engineering and Technology, Punjab

DOI: https://doi.org/10.14429/dsj.62.1291

Keywords: Attack surface, DRDO Intranet, project management, open web application security project, security audit, security compliance

Abstract

The attack surface of a system is the amount of application area that is exposed to the adversaries. The overall vulnerability can be reduced by reducing the attack surface of a web application. In this paper, we have considered the web components of two versions of an in-house developed project management web application and the attack surface has been calculated prior and post open web application security project (OWASP) compliance based on a security audit to determine and then compare the security of this Project Management Application. OWASP is an open community to provide free tools and guidelines for application security. It was observed that the attack surface of the software reduced by 45 per cent once it was made OWASP compliant. The vulnerable surface exposed by the code even after OWASP compliance was due to the mandatory access points left in the software to ensure accessibility over a network.

Defence Science Journal, 2012, 62(5), pp.324-330, DOI:http://dx.doi.org/10.14429/dsj.62.1291

Author Biographies

Sumit Goswami, Directorate of Management Information System & Technologies, DRDO, New Delhi

Mr Sumit Goswami obtained his MTech (Comp. Sci. & Engg.) from IIT Kharagpur. Presently working as Scientist ‘E’ at DRDO, New Delhi. His areas of interest include network centric operations, mobile ad hoc and sensor networks, web-hosting security, text mining and machine learning. He has published 53 papers/chapters in various journals, books, data competitions and conferences.

Nabanita R Krishnan, Directorate of Management Information System & Technologies, DRDO, New Delhi

Ms Nabanita Radhakrishnan obtained her BTech (Elect. & Comm. Engg.) from Guindy Engineering College, Chennai and M Tech (Electrical Engg.) from IIT Madras. Presently working as Director, Management Information System and Technologies (MIST) at DRDO Hqrs, New Delhi. In this capacity she has conceptualized and commissioned an upgraded DRDO Intranet with a multi-tier security infrastructure and a number of software applications. She is a Member of Aeronautical Society of India and Instrument Society of India.

Mukesh Verma, Directorate of Management Information System & Technologies, DRDO, New Delhi

Mr Mukesh obtained his MCA from IGNOU, Delhi and MSc (Computer Science) from MDU Rohtak. Presently working as Senior Technical Assistant at DRDO HQr. His research area include: Software development, website designing and hosting, Linux, Windows, MySQL, JAVA, JSP, ORACLE, Crystal Report, Visual Basic, and PHP.

Saurabh Swarnkar, IAP Company Pvt Ltd, Gurgaon

Mr Saurabh Swarnkar obtained his BE (Comp.Sci. & Engg.) from Institute of Information Technology and Management, Gwalior, and PGDAC from CDAC- Advance Computing Training School, Bengaluru. Presently working as a Programmer in IAP Company Ltd, Gurgaon. His research area include: Developing web application, web designing and hosting.

Pallavi Mahajan, Beant College of Engineering and Technology, Punjab

Ms Pallavi Mahajan is pursuing BTech (Computer Science and Engineering) from Beant College of Engineering and Technology, Gurdaspur, Punjab. She is presently doing 6 months internship from DRDO, New Delhi.

References

Fenton, Norman E. & Neil, Martin. A critique of software defect prediction models. IEEE Trans. Softw. Eng. 1999, 25(5), 675-89.

OWASP 2007, The ten most critical web application security vulnerabilities 2007 update, https://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf (accessed on 16 August 2012)

Heumann, Thomas; Türpe, Sven & Keller, Jörg. Quantifying the attack surface of a web application. In Proceedings of Sicherheit’2010, July 2011, LNI, 170, pp.305-316,

Measuring web application security coverage. http://fanaticmedia.com/infosecurity/archive/April 11/MeasuringWebAppSec Coverage final.htm (Accessed on April 2011)

scitz, Justin & Niem, Joey. Analyzing attack surface code coverage. 2007, SANS Institute , http://www.sans.org/reading_room/whitepapers/application/analyzingattack-surface-code-coverage_1996, (Accessed on 16 August 2012)

Y onghee, Shin; Andrew, Meneely; Laurie ,Williams and Jason, A. Osborne. 2011. Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities. IEEE Trans. Softw. Eng. 2011, 37(6), 772-87.

Walden, J. & Doyle, M. SAVI: Static-analysis vulnerability indicator. IEEE Security Privacy, 2012, 10(3), 32-39.

Manadhata, P.K. & Wing, J.M. An Attack Surface Metric. IEEE Trans. Software Eng., 2011, 37(3), 371-86.

Howard, M. Fending off future attacks by reducing attack surface. http://msdn.microsoft.com/library/default. asp? url=/library/en-us/dncode html/secure02132003. asp, 2003. (Accessed on 16 August 2012)

Howard, M.; Pincus, J. & Wing, J. Measuring relative attack surfaces. In Proceedings of Workshop on Advanced Developments in Software and Systems Security, 2003

Manadhata, Pratyusa K., Tan Kymie M.C., Maxion, Roy A. & Wing Jeannette M. An approach to measuring a system’s attack surface. Aug-2007, http://reportsarchive.

adm.cs.cmu.edu/anon/2007/CMU-CS-07-146. pdf (Accessed on August 2012)

Ha Thanh, Le & Loh, P.K.K. Evaluating AVDL descriptions for web application vulnerability analysis. In IEEE International Conference on Intelligence and Security Informatics, ISI 2008. 17-20 June 2008. pp.279-281.

Web application security fundamentals. http://msdn.microsoft.com/en-us/library/ff648636.aspx (Accessed on September 2011).

Lee, Vincent C.S. & Shao, Linyi. Estimating potential IT security losses: An alternative quantitative approach. IEEE Security Privacy, 2011, 4(6), 44-52.

Web application development, www.icreonglobal. com/web-application-development.html, (Accessed on July 2011).

Manadhata, P. & Wing, J. An attack surface metric, in First Workshop on Security Metrics, Vancouver, BC, August 2011.

About internet application and web application server, http://livedocs.adobe.com/ coldfusion8/htmldocs/help. html?content=introducing-cf-2.html. (Accessed in

September 2011).

Attacking web applications at the source. http://networksecurity.org.ua/0596007949/networkst-chp-6-sect-1.html. (Accessed on July 2011).

Lv, Teng & Yan, Ping. A web security solution based on XML technology. In International Conference on Communication Technology, 2006. ICCT ‘06, 27-30 Nov. 2006, pp.1-4.

Manadhata, P.K.; Karabulut, Y. & Wing, J.M. Report: Measuring the attack surfaces of enterprise software. In ESSoS 09: Proceedings of the 1st International Symposium on Engineering Secure Software and Systems (Berlin, Heidelberg, 2009), Springer-Verlag,

pp. 91–100, September 2011.

Manadhata , Pratyusa; Wing , Jeannette; Flynn, Mark & McQueen, Miles. Measuring the attack surfaces of two FTP daemons. In Proceedings of the 2nd ACM workshop on Quality of protection, 2006, Virginia, USA, October 2011.

Mitigate Security risks by minimizing the code you expose to untrusted users. msdn.microsoft.com/en-us/magazine/cc163882.aspx, August 2011.

Shar, Lwin Khin & Tan, Hee Beng Kuan. Defending against cross-site scripting attacks. Computer, 2012, 45(3), 55-62.

Siddiqui, M.S. & Verma, D. Cross site request forgery: A common web application weakness. In IEEE 3rd International Conference on Communication Software and Networks (ICCSN), 2011 May 2011, pp. 538-43.

Boyan, Chen; Zavarsky, P.; Ruhl, R. & Lindskog, D. A study of the effectiveness of CSRF guard. In IEEE 3rd international conference on social computing (socialcom), 9-11 Oct. 2011. pp.1269-272.

Munakata, S. & Hiji, M. A session management method to improve web applications usability on mobile network. In IEEE Region 10 Conference, TENCON 2006. 14-17 Nov. 2006. pp.1-4.