Benchmarking the Security of Web Serving Systems Based on Known Vulnerabilities

Mendes, Naaliel; Duraes, Joao; Madeira, Henrique

doi:10.1109/ladc.2011.14

Cited by 5 publications

(6 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Vulnerabilities numbers regarding Apache and Wordpress are slightly different than the ones presented previously since data gathering was performed earlier (Mendes, Duraes, and Madeira 2011). Note that some of the components targeted in the previous case study (Apache and IIS) were also covered in this one.…”

Section: Benchmarking the Security Of Web Serving Systems Based On Knmentioning

confidence: 88%

Security Benchmarks for Web Serving Systems

Mendes

Madeira

Duraes

2014

2014 IEEE 25th International Symposium on Software Reliability Engineering

Self Cite

View full text Add to dashboard Cite

The assessment of the security level of computer systems in a standardized and regular manner (security benchmarking) has become a very relevant subject, especially for those who use computer systems to support critical business missions or to store confidential information. The concern about computer-based system security is totally justified: systems have become increasingly complex, interconnected, and pervasive, and their security have been threatened by many types of attacks. These attacks are unavoidable, as the root causes for them are tied up to human aspects that cannot be removed (intention to cause harm, intention to steal information, etc.), and the losses attacks can cause to their targets (when successful) can be very significant. This scenario of attack inevitability has led companies and governments to invest massively in the development of regulations and mechanisms aimed at the improvement of the security of computer systems (e.g., training developer teams, rapidly solving discovered vulnerabilities, using tools to detect and prevent attacks). Despite these efforts, successful attacks continue to happen, showing that computer systems remain insecure. This is why end-users, system administrators, and systems integrators (to mention just a few classes of users) consider security as an important decision factor when choosing which system to buy and use. These individuals are looking for the means to assess and compare the security of functionally-similar systems/components that will enable them to make a decision taking into account the assessment of security risk.This thesis presents a novel, reproducible, risk-based methodology to benchmark the security of software-based systems. This is a generic methodology that can be instantiated to any class of software-based system. Our benchmark methodology uses the notion of risk in a quantifiable way to measure the security of systems, with a single security metric (SBench) to simplify the comparison of different systems (or different configurations of the same system), enabling users and system integrators to identify and select the most secure one, allowing as well the breakdown of this single metric for more detailed analysis. Our methodology follows the approach of benchmarks proposed in the field of performance and dependability, containing elements such as metrics, workload, and experimental setup, and defining a comprehensive set of procedures and rules to ensure the compliance with key properties such as repeatability.Our security benchmark methodology cover the two complementary views of a 8 given system concerning security: the first takes into account concrete vulnerabilities effectively existing for that system (measures what is already known), and the second estimates the effects of possible yet-to-discover vulnerabilities (and, in fact, many attacks are based on previously unknown vulnerabilities). In fact, these views correspond to the two parts of our benchmark methodology: the static and the dynamic. The static part corresponds ...

show abstract

Section: Benchmarking the Security Of Web Serving Systems Based On Knmentioning

confidence: 88%

Security Benchmarks for Web Serving Systems

Mendes

Madeira

Duraes

2014

2014 IEEE 25th International Symposium on Software Reliability Engineering

Self Cite

View full text Add to dashboard Cite

show abstract

“…(viii) Insecure deserialization: manipulating the inputs of a web application by deserializing it, modifying it, and serializing it again to compromise the web application [17]. (ix) Using components with known vulnerabilities: stop updating the used component in a web application allows attackers to exploit its known vulnerabilities; this type of vulnerability is found in abundance, especially in CMS web applications [18]. (x) Insufficient logging and monitoring refer to the lack of logging and monitoring mechanisms and techniques, which allow attackers to find and exploit without being detected [19].…”

Section: Related Workmentioning

confidence: 99%

Web Application Firewall Using Machine Learning and Features Engineering

Shaheed

Kurdy

2022

Security and Communication Networks

View full text Add to dashboard Cite

Web application security has become a major requirement for any business, especially with the wide web attacks spreading despite the defensive measures and the continuous development of software frameworks and servers. In this study, we present a proposed model for a web application firewall that used machine learning and features engineering to detect common web attacks. Our proposed model analyses incoming requests to the webserver, parses these requests to extract four features that describe completely HTTP request parts (URL, payload, and headers), and classifies whether a request is normal or an anomaly. We took into consideration the limitation of previous works that use URL and payload only in classification and provided five features that describe and summarize all parts of the HTTP request using features engineering and previous experience in the field of the software security domain. Extracted features are length of request, percentage of characters allowed, percentage of special characters, and attack weight. These features were calculated for four different datasets CSIC 2010, HTTPParams 2015, Hybrid dataset (CSIC 2010 and HTTPParams), and real logs for the compromised web server. We evaluated our proposed model by using these updated datasets with four classification algorithms (Naive Bayes, logistic regression, decision tree, and support vector machine) with two methods (train test split and cross-validation) to negate the probability of overfitting and ensure that features are effective. Features values for a normal request are usually short request length, large allowed character ratio, small special character ratio, and zero attack weight or close to zero. Features values for anomaly requests are large request length, small allowed character percentage, large special character percentage, and very large numerically attack weight. Our proposed model achieved a classification accuracy of 99.6% with datasets used in research studies in this field and 98.8% with datasets of real web servers.

show abstract

“…These scenarios can be divided in web-based applications and systems , web services [34][35][36][37][38][39] network protocols and devices [11,14,[40][41][42][43][44][45][46][47][48][49][50][51][52], software and desktop applications [61], and process control system [62]. Figure 4 shows the different target scenarios that have a diversity in relation to the number of studies, and as mentioned before, most of the studies are related to web-based applications, network devices, and protocols contexts.…”

Section: Rq2-what Are the Target-scenarios In Pentest?mentioning

confidence: 99%

Overview and open issues on penetration test

Bertoglio

Zorzo

2017

J Braz Comput Soc

View full text Add to dashboard Cite

Several studies regarding security testing for corporate environments, networks, and systems were developed in the past years. Therefore, to understand how methodologies and tools for security testing have evolved is an important task. One of the reasons for this evolution is due to penetration test, also known as Pentest. The main objective of this work is to provide an overview on Pentest, showing its application scenarios, models, methodologies, and tools from published papers. Thereby, this work may help researchers and people that work with security to understand the aspects and existing solutions related to Pentest. A systematic mapping study was conducted, with an initial gathering of 1145 papers, represented by 1090 distinct papers that have been evaluated. At the end, 54 primary studies were selected to be analyzed in a quantitative and qualitative way. As a result, we classified the tools and models that are used on Pentest. We also show the main scenarios in which these tools and methodologies are applied to. Finally, we present some open issues and research opportunities on Pentest.

show abstract

Benchmarking the Security of Web Serving Systems Based on Known Vulnerabilities

Cited by 5 publications

References 9 publications

Security Benchmarks for Web Serving Systems

Security Benchmarks for Web Serving Systems

Web Application Firewall Using Machine Learning and Features Engineering

Overview and open issues on penetration test

Contact Info

Product

Resources

About