DOI QR코드

DOI QR Code

Vulnerability Analysis and Threat Mitigation for Secure Web Application Development

안전한 웹 애플리케이션 개발을 위한 취약점 분석 및 위협 완화

  • 문재찬 (단국대학교 컴퓨터과학) ;
  • 조성제 (단국대학교 소프트웨어학과)
  • Received : 2011.10.22
  • Accepted : 2012.01.11
  • Published : 2012.02.29

Abstract

Recently, as modern Internet uses mashups, Web 3.0, JavaScript/AJAX widely, the rate at which new vulnerabilities are being discovered is increasing rapidly. It can subsequently introduce big security threats. In order to efficiently mitigate these web application vulnerabilities and security threats, it is needed to rank vulnerabilities based on severity and consider the severe vulnerabilities during a specific phase of software development lifecycle (SDLC) for web applications. In this paper, we have first verified whether the risk rating methodology of OWASP Top 10 vulnerabilities is a reasonable one or not by analyzing the vulnerability data of web applications in the US National Vulnerability Database (NVD). Then, by inspecting the vulnerability information of web applications based on OWASP Top-10 2010 list and CWE (Common Weakness Enumeration) directory, we have mapped the web-related entries of CWE onto the entries of OWASP Top-10 2010 and prioritized them. We have also presented which phase of SDLC is associated with each vulnerability entry. Using this approach, we can prevent or mitigate web application vulnerabilities and security threats efficiently.

최근에 매쉬업(mashups), 웹 3.0, JavaScript, AJAX (Asynchronous JavaScript XML) 등이 널리 사용되면서, 새로운 취약점들이 발견되고 있어 보안 위협이 더 증대되고 있다. 이러한 웹 애플리케이션 취약점과 보안 위협을 효율적으로 완화하기 위해, 그 취약점들을 위험도 기준으로 순서화하여 웹 애플리케이션의 개발 생명주기의 해당 단계에서 우선적으로 고려해야 한다. 본 논문에서는 미국 NVD(National Vulnerability Database)의 웹 애플리케이션 취약점에 대한 데이터를 분석하여, OWASP Top 10 취약점들의 위험도 산정 방법이 타당한 지를 검증하였다. 그 다음, OWASP Top-10 2010과 CWE (Common Weakness Enumeration) 데이터를 중심으로 웹 애플리케이션 취약점 정보를 분석하여 웹 취약점들을 사상시켜 순서화하고, 그 취약점들이 어떤 개발 생명주기 단계와 관련이 있는지를 제시하였다. 이를 통해 효율적으로 웹 보안 위협과 취약점을 예방하거나 완화할 수 있다.

Keywords

References

  1. Kukinews, "[Financial hacking is an Emergency] Hacking Method Viewed by Experts", Apr. 11, 2011. Available Online at http://news.kukinews.com/article/view.asp?page=1&gCode=kmi&arcid=0004844041&cp=du Accessed in Oct. 2011
  2. WhiteHat Security, Inc., "Measuring Website Security: Windows of Exposure", WhiteHat Website Security Statistics Report, 11th Edition, Winter 2011,http://img.en25.com/Web/WhiteHatSecurityInc/WPstats_winter11_11th.pdf
  3. National Institute of Standards and Technology. National Vulnerability Database (NVD). Available at: http://nvd.nist.gov, 2011.
  4. R. A. Martin, S. M. Christey and J. Jarzombek, "The Case for Common Flaw Enumeration", NIST Workshop on Software Security Assurance Tools, Techniques and Metrics, November, 2005.
  5. R. A. Martin and S. Barnum, "A Status Update: The Common Weaknesses Enumeration", Proc. of the Static Analysis Summit (NIST Special Publication 500-262), pp. 62-64, July 2006.
  6. A. Tripathi and U.K. Singh, "Towards Standardization of Vulnerability Taxonomy", Proc. of the 2nd International Conference on Computer Technology and Development (ICCTD), pp. 379-384, Nov. 2010.
  7. K. Tsipenyuk, B. Chess and G. McGraw, "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors", IEEE Security & Privacy, pp. 81-84, Nov./Dec. 2005.
  8. J. A. Wang, H. Wang, M. Guo and M. Xia, "Security metrics for software systems", Proc. of the 47th Annual Southeast Regional Conference (ACM-SE-47), 2009.
  9. A. Wiesmann, A. van der Stock, M. Curphey, R. Stirbei, A Guide to Building Secure Web Applicat ions and Web Services, OWASP, 2005.
  10. The Open Web Application Security Project (OWA SP), Available Online at http://www.owasp.org. Accessed in Sep. 2011
  11. Homeland Security: Common Weakness Enumeration (CWE), Available Online at http://cwe.mitre.org. Accessed in Sep. 2011
  12. M. Howard, D. LeBlanc, and J. Viega, 19 Deadly Sins of Software Security - Programming Flaws and How to Fix Them, McGraw-Hill, 2005
  13. S. Wagner, D. M. Fernandez, S. Islam, and K. Lochmann, "A Security Requirements Approach for Web Systems", Proc. of Quality Assessment in Web (QAW2009), CEUR, 2009.
  14. P. Mell, K. Scarfone and S. Romanosky, "Common Vulnerability Scoring System", IEEE Security & Privacy, pp. 85-89, Nov./Dec. 2006.
  15. Y. Kim, S. Shin, J. Ahn, O. Lee, E. Lee and H. Han, "Analysis and Documentation of Korean Common Weakness Enumeration for Software Security", Communications of the Korean Institute of Information Scientists and Engineers, Vol. 28, No. 2, pp. 20-31, Feb. 2010.
  16. CWE-79 Improper Neutralization of Input During Web Page Generation('Cross-site Scripting'), Available Online at http://cwe.mitre.org/data/definitions/79.html, Accessed in Oct. 2011

Cited by

  1. Research Trend in Dementia Based on Physical Activity: Using Keyword Network Analysis vol.28, pp.1, 2012, https://doi.org/10.15857/ksep.2019.28.1.11