论文信息 - Benchmarking the Security of Web Serving Systems Based on Known Vulnerabilities

Benchmarking the Security of Web Serving Systems Based on Known Vulnerabilities

This paper proposes a methodology and a tool to evaluate the security risk presented when using software components or systems. The risk is estimated based on known vulnerabilities existing on the software components. An automated tool is used to extract and aggregate information on vulnerabilities reported by users and available on public databases (e.g., OSVDB and NVD). This tool generates comprehensive reports including the vulnerability type frequency, severity, exploitability, impact, and so on, and extracts correlations between aspects such as impact and representativeness, making possible the identification of aspects such as typical and worst impact for a given vulnerability. The proposed methodology, when applied to systems within the same class, enables buyers and system integrators to identify which system or component presents the lower security risk, helping them to select which system to use. The paper includes a case study to demonstrate the usefulness of the methodology and the tool.

Henrique Madeira | João Durães | Naaliel Mendes

[1] Karen A. Scarfone,et al. The Common Vulnerability Scoring System (CVSS) and its Applicability to Federal Agency Systems , 2007 .

[2] Matt Bishop,et al. Reflections on UNIX Vulnerabilities , 2009, 2009 Annual Computer Security Applications Conference.

[3] J.C.G. Hernandez,et al. Moodle security vulnerabilities , 2008, 2008 5th International Conference on Electrical Engineering, Computing Science and Automatic Control.

[4] Weider D. Yu,et al. Software Vulnerability Analysis for Web Services Software Systems , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[5] Marco Vieira,et al. A Dependability Benchmark for OLTP Application Environments , 2003, VLDB.

[6] Kai Rannenberg,et al. Information Technology Security Evaluation Criteria (ITSEC) - a Contribution to Vulnerability? , 1992, IFIP Congress.

[7] Jean Arlat,et al. Benchmarking the dependability of Windows NT4, 2000 and XP , 2004, International Conference on Dependable Systems and Networks, 2004.

[8] Marco Vieira,et al. Dependability Benchmarking of Web-Servers , 2004, SAFECOMP.

[9] Christopher J. Alberts. Common Elements of Risk , 2006 .

[10] Philip Koopman,et al. Dependability Benchmarking & Prediction: A Grand Challenge Technology Problem , 1999 .

[11] Gergely Trifonov Cisa. Reducing the number of security vulnerabilities in web applications by improving software quality , 2009, SACI.

[12] G. Jiang. Multiple vulnerabilities in SNMP , 2002 .