A Framework for Automated Web Application Security Evaluation Razieh Rezaei Saleh Supervisor: Dr. Mohsen Kahani

A Framework for Automated Web Application Security Evaluation This framework: Tests a web application from the viewpoint of security issues. Uses the result of security test is for security evaluation of web application Optimizes security metric for automated security evaluation. Gives a security level to the web application.

Security Evaluation Is the process of determining how much a system is secure. Security evaluation needs information gathered from human and testing tools. First step in security evaluation is security testing.

Security Testing The Process to determine that an IS (Information System) protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: Confidentiality Integrity Authentication Authorization Availability non-repudiation

Why Web Applications? Because of globalization of web and being of internet as the major tool for international information exchange, security of web application is becoming more and more important. Web applications are very much vulnerable to DOS attacks or security and access compromise. Automated testing tools are vital because of growth in web application’s extension and complication.

Types of security test There are two types for security test: Static: Analyzes the source code for security defects Known as white box security test Needs source code Dynamic: Elicits vulnerabilities by sending malicious requests, and investigating replies When source code is not available Tester looks at the application from the attacker’s perspective Analyzes only applications deployed in test or production environments

Security testing tools There is eight security tool categories: source code analyzers, web application (black-box) scanners, database scanners, binary analysis tools, runtime analysis tools, configuration management tools, HTTP proxies, miscellaneous tools.

Web Application (black-box) Scanners

Automated security testing tool In an automated security test, there are three fundamental steps: Discovering new URLs and forms by crawling Creating test script with crafted data Sending malicious request to the web application Analyzing response to detecting vulnerabilities Exploit vulnerabilities

Security evaluation Is the process of determining how much a system is secure. Security evaluation needs information gathered from human and testing tools. For evaluation we need security metrics and measures.

Related works Web application security consortium: Threat Classification (WACS TC) Web Application Security Statistics Project (WASSP) A Metrics Framework to Drive Application Security Improvement Common Vulnerability Scoring System (CVSS) ISO/IEC 15408: Evaluation criteria for IT security ISO/IEC 18045: Methodology for IT security evaluation

Threat Classification Identify all known web application security classes of attack. Agree on naming for each class of attack. Develop a structured manner to organize the classes of attack. Develop documentation that provides generic descriptions of each class of attack. Web Application Security Consortium: Threat Classification, version 1.00

Threat Classification Six security classes of attack: Authentication Authorization Client-side Attacks Command Execution Information Disclosure Logical Attacks Web Application Security Consortium: Threat Classification, version 1.00

Web Application Security Statistics Project Identify the prevalence and probability of different vulnerability classes Compare testing methodologies against that types of vulnerabilities they are likely to identify. The statistics includes two different data sets: automated testing results security assessment results made using black and white box methodology Web Application Security Consortium: Web Application Security Statistics Project, 2007

Web Application Security Statistics Project Consequently 3 data sets were obtained: 1. Overall statistics 2. Automated scanning statistics 3. Black and white box methods security assessment statistics Web Application Security Consortium: Web Application Security Statistics Project, 2007

Web Application Security Statistics Project The probability distribution of vulnerabilities detection according to WASC TCv1 classes (BlackBox & WhiteBox)

Web Application Security Statistics Project The probability distribution of vulnerabilities detection according to WASC TCv1 classes

A Metrics Framework to Drive Application Security Improvement Break an application’s lifecycle into three main phases: design, deployment, runtime. Organize metrics according to life cycle in addition to OWASP type Nichols, E.A., Peterson, G., A Metrics Framework to Drive Application Security Improvement, IEEE Symp. Security and Privacy, Volume 5, Issue 2, March-April 2007

OWASP Top Ten Vulnerabilities OWASP Most serious web application vulnerabilities: Unvalidated input Broken access control Broken authentication and session management Cross-site scripting Buffer overflow Injection flaws Improper error handling Insecure storage Application denial of service Insecure configuration management Open Web Application Security Project (OWASP)- The ten most critical web application security vulnerabilities,2007

Common Vulnerability Scoring System (CVSS) The Common Vulnerability Scoring System (CVSS) is an open framework that offers the following benefits: Standardized Vulnerability Scores Open Framework Prioritized Risk Common Vulnerability Scoring System, Version 2.0, June 2007

Common Vulnerability Scoring System (CVSS) CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics. Represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. Represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments. Represents the characteristics of a vulnerability that change over time but not among user environments.

Common Vulnerability Scoring System (CVSS) When the base metrics are assigned values, the base equation calculates a score ranging from 0 to 10

ISO/IEC 15408: Evaluation criteria for IT security This standard consists of the following parts: Part 1: Introduction and general model Part 2: Security functional requirements Part 3: Security assurance requirements It contains criteria for evaluation of security requirements. ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01

ISO/IEC 15408: Evaluation criteria for IT security Provides a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation. Defines classes of requirement and dependencies between them. ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1,2,3, Second edition, 2005-10-01

ISO/IEC 18045: Methodology for IT security evaluation Defines methodology for IT security evaluation based on Evaluation Assurance Level(EAL) defined in ISO/IEC 15408. This International Standard recognizes three mutually exclusive verdict states: Conditions for a pass verdict Conditions for an inconclusive verdict Conditions for a fail verdict ISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation, Second edition 2008-08-15

My framework Performs security test of web application under test automatically. Uses automatic scanners for testing. Uses the result of security test is for security evaluation of web application Optimizes security metric for automated security evaluation. Gives a security level to the web application.

Framework Architecture Agent based architecture is selected for distributing tasks between agents. Result analyzer agent, gets the total results, analyze it and assess security level of web application Test Runtime Environment Agent is the central part of architecture. It is responsible for managing and coordinating other agents Test Executer Agent, gets the executable script and runs it. Then returns the results to TREA. Test Script Generator Agent, crawls the web application under test. Generates test Script for every injection point. Test code Generator agent, develops and compiles the test scripts.

Evaluation … After performing security test, results are used for evaluating. The steps of evaluating is as follows: Study web application characteristics. Study previous works for choosing or adapting metrics.

Evaluation ... Metrics must have two characteristics: Be relevant to the security of web applications Be measurable with the results of testing. Determine how to measure selected metrics Assign weights to these metrics based on published statistical results and experts' viewpoint Specify number of security levels

Evaluation Give a definition for each security level and specify security requirements of each level Specify the set of metrics relevant to each level and the required range of them. Assign a security level to the system under test.

Thanks for your attention.