Vulnerability Analysis and Threat Mitigation for Secure Web Application Development

Jaechan Moon; SEONG JE CHO

Journal of The Korea Society of Computer and Information

Abbr : JKSCI
2012, 17(2), pp.127-137
Publisher : The Korean Society Of Computer And Information
Research Area : Computer Science

Jaechan Moon ¹ , SEONG JE CHO ²

¹ 단국대학교
² 단국대학교

ABSTRACT

Recently, as modern Internet uses mashups, Web 3.0, JavaScript/AJAX widely, the rate at which new vulnerabilities are being discovered is increasing rapidly. It can subsequently introduce big security threats. In order to efficiently mitigate these web application vulnerabilities and security threats, it is needed to rank vulnerabilities based on severity and consider the severe vulnerabilities during a specific phase of software development lifecycle (SDLC) for web applications. In this paper, we have first verified whether the risk rating methodology of OWASP Top 10 vulnerabilities is a reasonable one or not by analyzing the vulnerability data of web applications in the US National Vulnerability Database (NVD). Then, by inspecting the vulnerability information of web applications based on OWASP Top-10 2010 list and CWE (Common Weakness Enumeration) directory, we have mapped the web-related entries of CWE onto the entries of OWASP Top-10 2010 and prioritized them. We have also presented which phase of SDLC is associated with each vulnerability entry. Using this approach, we can prevent or mitigate web application vulnerabilities and security threats efficiently.
KEYWORDS

Web application , OWASP Top 10 , Vulnerability analysis , Threat mitigation , Software development lifecycle (SDLC)
REFERENCES (16)

[web] Kukinews / 2011 / [Financial hacking is an Emergency] Hacking Method Viewed by Experts / http://news.kukinews.com/article/view.asp?page=1&gCode=kmi&arcid=0004844041&cp=du

[web] WhiteHat Security, Inc / 2011 / Measuring Website Secur ity: Windows of Exposure / http://img.en25.com/Web/WhiteHatSecurityInc/WPstats_winter11_11th.pdf

[web] / 2011 / National Institute of Standards and Technology. National Vulnerability Database (NVD) / http://nvd.nist.gov

[confproc] R. A. Martin / 2005 / The Case for Common Flaw Enumeration / NIST Workshop on Software Security Assurance Tools, Techniques and Metrics

[confproc] R. A. Martin / 2006 / A Status Update : The Common Weaknesses Enumeration / Proc. of the Static Analysis Summit(NIST Special Publication 500-262) : 62~64

[confproc] A. Tripathi / 2010 / Towards Standardi zation of Vulnerability Taxonomy / Proc. of the 2nd International Conference on Computer Technology and Development(ICCTD) : 379~384

[confproc] K. Tsipenyuk / 2005 / Seven Pernicious Kingdoms : A Taxonomy of Software Security Errors / IEEE Security & Privacy : 81~84

[confproc] J. A. Wang / 2009 / Security metrics for software systems / Proc. of the 47th Annual Southeast Regional Conference (ACM-SE-47)

[book] A. Wiesmann / 2005 / A Guide to Building Secure Web Applicat ions and Web Services / OWASP

[web] / The Open Web Application Security Project (OWA SP) / http://www.owasp.org

[web] / Homeland Security: Common Weakness Enumera tion (CWE) / http://cwe.mitre.org

[book] M. Howard / 2005 / 19 Deadly Sins of Software Security - Programming Flaws and How to Fix Them / McGraw-Hill

[confproc] S. Wagner / 2009 / A Security Requirements Approach for Web Systems / Proc. of Quality Assessment in Web (QAW2009)

[confproc] P. Mell / 2006 / Common Vulnerability Scoring System / IEEE Security & Privacy : 85~89

[journal] Y. Kim / 2010 / Analysis and Documentation of Korean Common Weakness Enumeration for Software Security / Communications of the Korean Institute of Information Scientists and Engineers 28 (2) : 20~31

[web] / CWE-79 Improper Neutralization of Input During Web Page Generation(‘Cross-site Scripting’) / http://cwe.mitre.org/data/definitions/79.html
KCI Citation (10)

KJC Korea
Journal Central

Statistics

Tools