Assessing and Comparing Security of Web Servers

Mendes, Naaliel; Neto, Afonso Araújo; Duraes, Joao; Vieira, Marco; Madeira, Henrique

doi:10.1109/prdc.2008.45

Cited by 18 publications

(8 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While some web servers may be generally considered more secure than other web servers, the true extent of security is entirely dependent on the web-server developers and how often they patch up security flaws. In a study on assessing web server security, [23] analyzed five open-source web servers including Apache HTTPD2, Apache Tomcat 6.0.13, Apache Tomcat 6.0.16 and Apache Tomcat 6.0.13. They analyzed factors such as security policy, access control, communication and operation management, human resource security, information systems acquisition, development and maintenance and physical and environmental security.…”

Section: Api Securitymentioning

confidence: 99%

An Analysis of Security and Performance Concerns in Mobile Web Application Development: Challenges and Open Issues

Kunda

Chishimba

Mulenga

et al. 2017

Int. J. Recent Contrib. Eng. Sci. IT

View full text Add to dashboard Cite

Abstract-The paper focuses on security and performance concerns in mobile web development. The approach used in the study involved surveying journal publications to identify security and performance concerns. The paper highlights some of the contemporary issues currently being faced by application developers as they create, update and maintain mobile web applications including Cross-Site Scripting, Cookie hijacking/theft, location hijacking, history theft, behavior analysis, session hijacking, API design, security and the type of web server used considered.

show abstract

Section: Api Securitymentioning

confidence: 99%

An Analysis of Security and Performance Concerns in Mobile Web Application Development: Challenges and Open Issues

Kunda

Chishimba

Mulenga

et al. 2017

Int. J. Recent Contrib. Eng. Sci. IT

View full text Add to dashboard Cite

show abstract

“…Also, one common practice among software buyers and end-users is to rely on a set of security evaluation methods (e.g., ISO 17799 2005; NIST-SP800-12 1995; CC Protection Profiles 2012; M. Vieira and Madeira 2005;Mendes et al 2008) and tools (Acunetix 2012;IBM Appscan 2012;Nikto2 2015;Curphey and Arawo 2006;SecTools 2014) to help them to get an estimation of the security level of a given system based on a set of security requirements, tests, or software maturity (e.g. : is the system free from known vulnerabilities?…”

Section: Context and Motivationmentioning

confidence: 99%

“…The merit of this approach is the proposal of steps ranging from the collection of security recommendations from different sources to the proposal of tests to assess and compare the security configuration of systems. An approach proposed by (Mendes et al 2008) has applied and extended this methodology through a characterization of security practices according to the ISO 17799:2005 international standard for web servers. Additionally, (Mendes et al 2008) was not only concerned with the configuration aspects of web servers, but also with the design of a secure network and the implementation of a strong security policy.…”

Section: Security Benchmarking Initiativesmentioning

confidence: 99%

“…An approach proposed by (Mendes et al 2008) has applied and extended this methodology through a characterization of security practices according to the ISO 17799:2005 international standard for web servers. Additionally, (Mendes et al 2008) was not only concerned with the configuration aspects of web servers, but also with the design of a secure network and the implementation of a strong security policy. All these aspects are important to reduce the possibility of successful attacks over web servers.…”

Section: Security Benchmarking Initiativesmentioning

confidence: 99%

“…A security test is the verification of a security practice or the exploit of a known vulnerability. An example is the following security practice for web servers (Mendes et al 2008): "Disable direct file system access (directory browsing, directory traversal, etc.)". The security test of this practice refers to the verification of the web server configuration or contents to confirm if directory listing is enabled or not (this particular test is related to the CVE-2006-3835 directory listing vulnerability, which affects Apache Tomcat 5).…”

Section: Static Partmentioning

confidence: 99%

See 2 more Smart Citations

Security Benchmarks for Web Serving Systems

Mendes

Madeira

Duraes

2014

2014 IEEE 25th International Symposium on Software Reliability Engineering

Self Cite

View full text Add to dashboard Cite

The assessment of the security level of computer systems in a standardized and regular manner (security benchmarking) has become a very relevant subject, especially for those who use computer systems to support critical business missions or to store confidential information. The concern about computer-based system security is totally justified: systems have become increasingly complex, interconnected, and pervasive, and their security have been threatened by many types of attacks. These attacks are unavoidable, as the root causes for them are tied up to human aspects that cannot be removed (intention to cause harm, intention to steal information, etc.), and the losses attacks can cause to their targets (when successful) can be very significant. This scenario of attack inevitability has led companies and governments to invest massively in the development of regulations and mechanisms aimed at the improvement of the security of computer systems (e.g., training developer teams, rapidly solving discovered vulnerabilities, using tools to detect and prevent attacks). Despite these efforts, successful attacks continue to happen, showing that computer systems remain insecure. This is why end-users, system administrators, and systems integrators (to mention just a few classes of users) consider security as an important decision factor when choosing which system to buy and use. These individuals are looking for the means to assess and compare the security of functionally-similar systems/components that will enable them to make a decision taking into account the assessment of security risk.This thesis presents a novel, reproducible, risk-based methodology to benchmark the security of software-based systems. This is a generic methodology that can be instantiated to any class of software-based system. Our benchmark methodology uses the notion of risk in a quantifiable way to measure the security of systems, with a single security metric (SBench) to simplify the comparison of different systems (or different configurations of the same system), enabling users and system integrators to identify and select the most secure one, allowing as well the breakdown of this single metric for more detailed analysis. Our methodology follows the approach of benchmarks proposed in the field of performance and dependability, containing elements such as metrics, workload, and experimental setup, and defining a comprehensive set of procedures and rules to ensure the compliance with key properties such as repeatability.Our security benchmark methodology cover the two complementary views of a 8 given system concerning security: the first takes into account concrete vulnerabilities effectively existing for that system (measures what is already known), and the second estimates the effects of possible yet-to-discover vulnerabilities (and, in fact, many attacks are based on previously unknown vulnerabilities). In fact, these views correspond to the two parts of our benchmark methodology: the static and the dynamic. The static part corresponds ...

show abstract