SELF ASSESSMENT FRAMEWORK FOR DETECTING VULNERABILITY IN WEB APPLICATIONS

Security Assessment is widely used to audit the security protection of web applications. However, it is often performed by outside security experts or third party that has been appointed by the company. The problem appears when the assessment involves highly confidential areas that might impact company’s privacy data which directly reveal the important information to the third party. Even though they might have signed an agreement of non-disclosure information, but as they have already had the information on the infrastructure and architecture regardless of the confidential data, it has to be considered as a high risk. It is important to keep the information within the project members to protect the confidential data used by the system. Therefore, due to confidentiality level of the system, we proposed SelfAssessment framework to conduct security assessment internally to ensure the safety of all the assets of the organization. The main objective of this paper is to discuss the activities and processes involve in conducting security assessment. KEYWORD Web application, vulnerability, security testing, security assessment, penetration testing

[1]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[2]  C. Colwill,et al.  Creating an effective security risk model for outsourcing decisions , 2007 .

[3]  Jeremiah Grossman The State of Website Security , 2012, IEEE Security & Privacy.

[4]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[5]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[6]  Christopher Krügel,et al.  Static analysis for detecting taint-style vulnerabilities in web applications , 2010, J. Comput. Secur..

[7]  Gary B. Shelly,et al.  Discovering Computers , 1998 .

[8]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[9]  Mark Curphey,et al.  Web application security assessment tools , 2006, IEEE Security & Privacy.

[10]  Arniyati Ahmad,et al.  Web Vulnerability Assessment: Outsource dilemmas , 2011, Proceedings of the 2011 International Conference on Electrical Engineering and Informatics.

[11]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[12]  Liam Peyton,et al.  A model-driven penetration test framework for Web applications , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[13]  Marco Vieira,et al.  Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.