Web application vulnerability assessment and policy direction towards a secure smart government

Abstract This paper carried out technological analysis of e-government platforms with a view of assessing possible application flaws that can inhibit smooth running of the available web services provided. Two sets of data were collected with an interval of two years on 64 Nigerian government websites. Five web vulnerability variables known to be notorious for web attacks were purposively investigated. In the overall assessment for the two datasets, the average result showed that about 67% are affected by broken links (BL), 43.8% by unencrypted password (UP), 35% by cross site scripting (XSS) and about one out of every four are affected by each of Structured Query Language Injection (SQLi) and cookie manipulation (CM). An independent t test statistic showed that there is a significant difference between the groups for three of the variables investigated, these are: XSS, SQLi and CM at 95% confidence interval. The motivation for this study is premised on the risk that these results pose to the smooth running of the e-government services and the possibility of financial loss. The research thus suggests some useful policy directions to enhance the provision of a secure smarter government.

[1]  Zahir Irani,et al.  E-government adoption: architecture and barriers , 2005, Bus. Process. Manag. J..

[2]  Jungwoo Lee,et al.  Developing fully functional E-government: A four stage model , 2001, Gov. Inf. Q..

[3]  P. Ifinedo Measuring Africa's e-readiness in the global networked economy: A nine-country data analysis , 2005 .

[4]  Ioannis A. Tsoukalas,et al.  Applying participatory design and collaboration in digital public services for discovering and re-designing e-Government services , 2007, Gov. Inf. Q..

[5]  Joshua J. Pauli,et al.  CookieMonster: Automated Session Hijacking Archival and Analysis , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[6]  Seongcheol Kim,et al.  An institutional analysis of an e-government system for anti-corruption: The case of OPEN , 2009, Gov. Inf. Q..

[7]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[8]  Hee Joon Song,et al.  PROSPECTS AND LIMITATIONS OF THE E-GOVERNMENT INITIATIVE IN KOREA , 2002 .

[9]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[10]  Marc Dacier,et al.  A Lightweight Tool for Detecting Web Server Attacks , 2000, NDSS.

[11]  Dimitris Mitropoulos,et al.  SDriver: Location-specific signatures prevent SQL injection attacks , 2009, Comput. Secur..

[12]  Kjell Jørgen Hole,et al.  Vulnerabilities in e-governments , 2007, Int. J. Electron. Secur. Digit. Forensics.

[13]  S. Schelin E-government: an overview , 2003 .

[14]  David Endler,et al.  The Evolution of Cross Site Scripting Attacks , 2002 .

[15]  Yi-Shun Wang,et al.  The adoption of electronic tax filing systems: an empirical study , 2003, Gov. Inf. Q..

[16]  F. Malerba 'History-friendly' Models of Industry Evolution: The Computer Industry , 1999 .

[17]  Princely Ifinedo,et al.  Towards E-Government in a Sub-Saharan African Country , 2006 .

[18]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[19]  Salim Hariri,et al.  Randomized Instruction Set Emulation To Disrupt Binary Code Injection Attacks , 2003 .

[20]  Sivaporn Wangpipatwong,et al.  Factors Inluencing the Adoption of Thai eGovernment Websites: Information Quality and System Quality Approach , 2005 .

[21]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[22]  Hao Chen,et al.  Noncespaces: Using randomization to defeat cross-site scripting attacks , 2012, Comput. Secur..

[23]  Ignacio J. Martinez-Moyano,et al.  Exploring E-Government Evolution: The Influence of Systems of Rules on Organizational Action , 2005 .

[24]  Jensen J. Zhao,et al.  Opportunities and threats: A security assessment of state e-government websites , 2010, Gov. Inf. Q..

[25]  Yu-Che Chen,et al.  Transforming local e-government services: the use of application service providers , 2001, Gov. Inf. Q..

[26]  Olusesan Michael Awoleye,et al.  Technological assessment of banking innovation in Nigeria , 2013 .

[27]  David LeBlanc,et al.  Writing Secure Code , 2001 .

[28]  M. J. Moon The Evolution of E-Government among Municipalities: Rhetoric or Reality? , 2002 .

[29]  E. R. Adagunodo,et al.  Assessment of e-governance resource use in south-western Nigeria , 2008, ICEGOV '08.

[30]  Úlfar Erlingsson,et al.  End-to-End Web Application Security , 2007, HotOS.

[31]  Sang-Soo Yeo,et al.  A novel method for SQL injection attack detection based on removing SQL query attribute values , 2012, Math. Comput. Model..

[32]  Steven Cook A Web Developer's Guide to Cross-Site Scripting , 2003 .

[33]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[34]  Spyros T. Halkidis,et al.  A Practical Evaluation of Security Patterns , 2006 .

[35]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[36]  Chien-Chao Tseng,et al.  Stateful session handoff for mobile WWW , 2006, Inf. Sci..

[37]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[38]  Juan Martínez-Romo,et al.  Updating broken web links: An automatic recommendation system , 2012, Inf. Process. Manag..

[39]  Shan Ling Pan,et al.  E-government implementation: A macro analysis of Singapore's e-government initiatives , 2008, Gov. Inf. Q..

[40]  Michael Awoleye,et al.  Technological assessment of e-government web presence in Nigeria , 2012, ICEGOV.

[41]  Ali Rokhman E-Government Adoption in Developing Countries; the Case of Indonesisa , 2011 .

[42]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[43]  Lynn Davis,et al.  Best practices in electronic government: Comprehensive electronic information dissemination for science and technology , 2001, Gov. Inf. Q..

[44]  Engin Kirda,et al.  Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications , 2011, NDSS.

[45]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[46]  Araújo,et al.  An Evolutionary theory of economic change , 1983 .

[47]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[48]  John Metcalfe,et al.  Evolutionary Economics and Technology Policy , 1994 .

[49]  S. Winter,et al.  An evolutionary theory of economic change , 1983 .

[50]  M. Backus E-Governance and developing countries : introduction and examples , 2001 .

[51]  J. Olufemi Electronic Governance: Myth or Opportunity for Nigerian Public Administration? , 2012 .

[52]  Hsinchun Chen,et al.  Digital Government: technologies and practices , 2003, Decis. Support Syst..

[53]  M. Merkow,et al.  2010 CWE/SANS Top 25 Most Dangerous Programming Errors , 2010 .

[54]  Wouter Joosen,et al.  A methodology for designing countermeasures against current and future code injection attacks , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).