Detection of Configuration Vulnerabilities in Distributed (Web) Environments

Casalino, Matteo Maria; Mangili, Michele; Plate, Henrik; Ponta, Serena Elisa

doi:10.1007/978-3-642-36883-7_9

Cited by 6 publications

(4 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A language-based approach to specify and execute declarative and unambiguous security checks for detecting vulnerabilities caused by a system misconfiguration is proposed in [14]. The proposed language is based on the SCAP specification [30] and extends the OVAL configuration validation standard [31].…”

Section: Related Workmentioning

confidence: 99%

“…In the case when configuration vulnerability is considered, it is mostly limited to the deployment environment [12]- [14]. This is a practical bottleneck because an invulnerable deployment environment does not guarantee an invulnerable application from configuration perspective.…”

Section: Introductionmentioning

confidence: 99%

“…• We put into practice the CCSS to quantify vulnerability scores by introducing additional metric variables relevant to configuration in web applications. • We implemented and evaluated our approach on 14 most widely adopted open source PHP applications and compared its effectiveness with 3 popular web vulnerability scanners. This paper is organized as follows.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications

Eshete

Villafiorita

Weldemariam

et al. 2013

2013 IEEE 7th International Conference on Software Security and Reliability

View full text Add to dashboard Cite

Web applications and server environments hosting them rely on configuration settings that influence their security, usability, and performance. Misconfiguration results in severe security vulnerabilities. Recent trends show that misconfiguration is among the top critical risks in web applications. While effective at uncovering numerous classes of vulnerabilities, generic web application vulnerability scanners are limited in identifying configuration vulnerabilities. In this paper, we present an approach that effectively combines hierarchical configuration scanning and preliminary source code analysis of web applications to pinpoint potential configuration vulnerabilities, quantify the degree of severity based on standard metrics, and facilitate fixing of vulnerabilities found therein. We implemented our approach in a tool called Confeagle and evaluated it on 14 widely deployed PHP web applications. Unlike generic web vulnerability scanners, on the subject applications, Confeagle detected potential configuration vulnerabilities that could result in information disclosure, denialof-service, and session hijacking attacks on the applications.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications

Eshete

Villafiorita

Weldemariam

et al. 2013

2013 IEEE 7th International Conference on Software Security and Reliability

View full text Add to dashboard Cite

show abstract

“…During operations time, the configuration validation [27] component compares the actual system configuration retrieved from the CMDB or from the device itself, possibly changed outside of the PoSecCo scope, with the generated configuration resulting from the top-down refinement process. Discrepancies between the golden and actual configuration are identified and their relevance analyzed and reported.…”

Section: Application Componentsmentioning

confidence: 99%

Policy Chain for Securing Service Oriented Architectures

Arsac

Laube

Plate

2013

Data Privacy Management and Autonomous Spontaneous Security

Self Cite

View full text Add to dashboard Cite

Abstract. Service Providers using Service Oriented Architecture in order to deliver in-house services as well as on-demand and cloud services have to deal with two interdependent challenges: (1) to achieve, maintain and prove compliance with security requirements stemming from internal needs, 3rd party demands and international regulations and (2) to manage requirements, policies and security configuration in a cost-efficient manner. The deficiencies of current processes and tools force these service providers to trade off profitability against security and compliance. This paper summarizes a novel approach of a policy chain, which links high-level, abstract and declarative security policies on one side and low-level, imperative, and technical security configuration settings on the other side. The paper describes detailed an architecture linking several applications and models via state-machines in order to provide a toolset supporting service providers to build such a holistic policy chain at design time, and to maintain and leverage it during system operation.

show abstract

Online Compliance Monitoring of Service Landscapes

Werf

Verbeek

2015

Business Process Management Workshops

View full text Add to dashboard Cite

Detection of Configuration Vulnerabilities in Distributed (Web) Environments

Cited by 6 publications

References 5 publications

Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications

Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications

Policy Chain for Securing Service Oriented Architectures

Online Compliance Monitoring of Service Landscapes

Contact Info

Product

Resources

About