Using soft systems methodology and activity theory to exploit security of web applications against heartbleed vulnerability

The number of security incidents exploiting security holes in the web applications is increasing. One of the recently identified vulnerability in the web applications is the Heartbleed bug. The Heartbleed bug is a weakness found in OpenSSL, open source cryptographic software. In this study, both quantitative and qualitative research methodologies were employed. Case study and content/documentary analysis research methods were used to collect data for probing the web applications which are vulnerable to the bug. Due to the complexity of the problem, Soft Systems Methodology was adopted for the management of the analysis of data. The evaluation of security of web applications involved 64 selected websites of higher education institutions in Africa. SSM was supported by a theory called Activity Theory. The collected data was analysed using “R statistical computing package”. The study found that 89% of the universities web applications in Africa were vulnerable to the Heartbleed attack; and 11% of the universities web applications in Africa were not vulnerable to Heartbleed on the public announcement of the bug. But about two months later after the public announcement of the bug, 16% of the most universities web applications which were vulnerable were patched for the Heartbleed bug. The study seeks to contribute in application of Soft Systems Methodology and Activity Theory in the body of knowledge of information systems security (ISS).

[1]  Akash Patel INCORPORATING PRIVACY AND SECURITY FEATURES IN AN OPEN SOURCE SEARCH ENGINE A Project Report , 2013 .

[2]  Michael Tüxen,et al.  Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension , 2012, RFC.

[3]  Camilius Sanga,et al.  THE RAPID GROWTH OF CYBERCRIMES AFFECTING INFORMATION SYSTEMS IN THE GLOBAL: IS THIS A MYTH OR REALITY IN TANZANIA? , 2014 .

[4]  Sanjeev Kumar,et al.  Experimental Evaluation of Juniper Network's Netscreen-5GT Security Device against Layer4 Flood Attacks , 2011, J. Information Security.

[5]  Mohie M. Hadhoud,et al.  Performance Evaluation of Symmetric Encryption Algorithms , 2008 .

[6]  Ronald L. Krutz,et al.  The CISSP and CAP Prep Guide: Platinum Edition , 2006 .

[7]  Y. Engeström,et al.  Activity theory as a framework for analyzing and redesigning work. , 2000, Ergonomics.

[8]  Pedro Sousa,et al.  Using Ψ theory and Activity Theory to Management Organization Change , 2013 .

[9]  Ben Smyth,et al.  Formal verification of cryptographic protocols with automated reasoning , 2011 .

[10]  Stephen Kimani,et al.  Identifying Threats Associated With Man-In-The-Middle Attacks during Communication between a Mobile Device and the Back End Server in Mobile Banking Applications , 2014 .

[11]  Pedro Sousa,et al.  Using DEMO and Activity Theory to Manage Organization Change , 2013 .

[12]  Philip E. T. Lewis,et al.  Research Methods for Business Students , 2006 .

[13]  Roopak Venkatakrishnan,et al.  Redundancy-Based Detection of Security Anomalies in Web-Server Environments. , 2014 .

[14]  P. V. Oorschot Overview of Cryptography , .

[15]  Rjoè,et al.  Activity theory as a framework for analyzing and redesigning work , 2005 .

[16]  Zuzanna Zygadlo,et al.  Interoperability for electronic ID , 2009 .

[17]  Thabiso Peter Mpofu,et al.  The Heartbleed Bug: An Open Secure Sockets Layer Vulnerability , 2012 .

[18]  Peter Checkland,et al.  Systems Thinking, Systems Practice , 1981 .

[19]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[20]  Camilius Sanga,et al.  A technique for the evaluation of free and open source e-learning systems , 2010 .