Security Benchmarks for Web Serving Systems

The security of software-based systems is one of the most difficult issues when accessing the suitability of systems to most application scenarios. However, security is very hard to evaluate and quantify, and there are no standard methods to benchmark the security of software systems. This work proposes a novel methodology for benchmarking the security of software-based systems. This methodology uses the notion of risk in a quantifiable way and allows the comparison of functionally-equivalent systems (or different configurations of the same system) to enable users and system integrators to identify and select the most secure one. The benchmark methodology is based on both analytical and experimental steps and can be applicable to any software system. The benchmark procedures and rules guide users on how to instantiate the methodology to specific scenarios and how to execute the benchmark. In this paper we also present an instantiation of the methodology to a case study of web-serving systems and show how to use the results to identify the most secure system under benchmark.

[1]  Mark Curphey,et al.  Web application security assessment tools , 2006, IEEE Security & Privacy.

[2]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[3]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[4]  Marco Vieira,et al.  Dependability Benchmarking of Web-Servers , 2004, SAFECOMP.

[5]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[6]  Weider D. Yu,et al.  Software Vulnerability Analysis for Web Services Software Systems , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[7]  Shahram Sarkani,et al.  Software Selection based on Quantitative Security Risk Assessment , 2012 .

[8]  David Andrew Shelly,et al.  Using a Web Server Test Bed to Analyze the Limitations of Web Application Vulnerability Scanners , 2010 .

[9]  Marco Vieira,et al.  Towards a security benchmark for database management systems , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[10]  Henrique Madeira,et al.  Generic faultloads based on software faults for dependability benchmarking , 2004, International Conference on Dependable Systems and Networks, 2004.

[11]  Jean Arlat,et al.  Benchmarking the dependability of Windows NT4, 2000 and XP , 2004, International Conference on Dependable Systems and Networks, 2004.

[12]  Marco Vieira,et al.  Benchmarking Vulnerability Detection Tools for Web Services , 2010, 2010 IEEE International Conference on Web Services.

[13]  Marco Vieira,et al.  Vulnerability & attack injection for web applications , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[14]  Matt Bishop,et al.  Reflections on UNIX Vulnerabilities , 2009, 2009 Annual Computer Security Applications Conference.

[15]  Stuart E. Schechter,et al.  Quantitatively Differentiating System Security , 2002 .

[16]  J.C.G. Hernandez,et al.  Moodle security vulnerabilities , 2008, 2008 5th International Conference on Electrical Engineering, Computing Science and Automatic Control.

[17]  Trustworthy Ict,et al.  The Red Book: A Roadmap for Systems Security Research , 2013 .

[18]  G. Jiang Multiple vulnerabilities in SNMP , 2002 .

[19]  Marco Vieira,et al.  Assessing and Comparing Security of Web Servers , 2008, 2008 14th IEEE Pacific Rim International Symposium on Dependable Computing.

[20]  Henrique Madeira,et al.  Evaluating and Comparing the Impact of Software Faults on Web Servers , 2010, 2010 European Dependable Computing Conference.

[21]  Miguel Correia,et al.  Using Attack Injection to Discover New Vulnerabilities , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[22]  Marco Vieira,et al.  Mapping software faults with web security vulnerabilities , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[23]  Karen A. Scarfone,et al.  Guidelines on Securing Public Web Servers , 2002 .

[24]  Marco Vieira,et al.  A Dependability Benchmark for OLTP Application Environments , 2003, VLDB.

[25]  Henrique Madeira,et al.  Benchmarking the Security of Web Serving Systems Based on Known Vulnerabilities , 2011, 2011 5th Latin-American Symposium on Dependable Computing.

[26]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[27]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[28]  Wayne A. Jansen,et al.  Directions in Security Metrics Research , 2009 .

[29]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[30]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[31]  Laurian M. Chirica,et al.  The entity-relationship model: toward a unified view of data , 1975, SIGF.