|
Biblioteca Digital do IPG >
Escola Superior de Tecnologia e Gestão (ESTG) >
Capítulo de Livro (ESTG) >
Utilize este identificador para referenciar este registo:
http://hdl.handle.net/10314/3513
|
| Título: | Evaluating the [In]security of Web Applications |
| Autores: | Fonseca, José Carlos |
| Palavras Chave: | Web Application Security |
| Data: | Aug-2011 |
| Editora: | Lambert Academic Publishing |
| Resumo: | The current dependency of modern enterprises on complex web applications raises new and challenging problems. Security (or the lack of it) is, certainly, one of the top concerns. Security issues have cascading effects within enterprises, with dramatic consequences to the dependability of the services they should provide. The impact of the successful exploitation of security breaches can be enormous and it may irreversibly affect the company competitiveness, brand, partners and clients.
This book focuses on the study of the most significant web application vulnerabilities, proposing ways and solutions to improve the state of the art on web application security. One of the contributions is the classification and in-depth analysis of typical software bugs that lead to security vulnerabilities. For this purpose, we present a field study correlating common fault types in web application software with the potential vulnerabilities they may cause. A key contribution of the book is how we explore this relationship to propose new strategies to prevent, test and detect vulnerabilities using a mechanism to automatically inject vulnerabilities and attacks in web applications. We also propose and evaluate an intrusion detection system for databases that relies on the detection of the user activities that fall outside the profile of good behavior that was previously learned.
The vulnerability injection and the attack injection approaches are based on real world observations so they are valuable frameworks in many security related scenarios, as they provide a true to life setup. With the vulnerability injection we propose new ways to train security assurance teams and our tests confirm the increased ability achieved to detect vulnerabilities, even outperforming top commercial tools. The attack injection was used to evaluate state of the art security tools. Results confirm that even top commercial tools still have a long way to go as they can only detect a very small percentage of the most critical vulnerabilities and attacks. The analysis of the outcome data can even provide important insights on the weaknesses of these tools, which is of major importance for their future improvement. |
| URI: | http://hdl.handle.net/10314/3513 |
| ISBN: | 978-3845421742 |
| Aparece nas Colecções: | Capítulo de Livro (ESTG)
|
Ficheiros deste Registo:
| Ficheiro |
Descrição |
Tamanho | Formato |
|---|
| 2011-08-26 Jose Fonseca Evaluating the Insecurity of WebApplications.pdf | | 5316Kb | Adobe PDF | Ver/Abrir | |
|
|
