Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
4Activity
0 of .
Results for:
No results containing your search query
P. 1
Security risk assessment of Geospatial Weather Information System (GWIS): An OWASP based approach

Security risk assessment of Geospatial Weather Information System (GWIS): An OWASP based approach

Ratings: (0)|Views: 117 |Likes:
Published by ijcsis
Security assessment is crucial in web application development environment. The Rapid Application Development (RAD) process makes the application extremely short and makes it difficult to eliminate the vulnerabilities. Here we study how web application risk assessment technique such as risk rating process can be applied to web application. We implement our proposed mechanism the application risk assessment methodology using Open Web Application Security Project (OWASP) model for the security assessment of web application. The study led to quantifying different levels of risk for Geospatial Weather Information System (GWIS) using OWASP model.
Security assessment is crucial in web application development environment. The Rapid Application Development (RAD) process makes the application extremely short and makes it difficult to eliminate the vulnerabilities. Here we study how web application risk assessment technique such as risk rating process can be applied to web application. We implement our proposed mechanism the application risk assessment methodology using Open Web Application Security Project (OWASP) model for the security assessment of web application. The study led to quantifying different levels of risk for Geospatial Weather Information System (GWIS) using OWASP model.

More info:

Published by: ijcsis on Sep 05, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/24/2014

pdf

text

original

 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 5, August 2010
Security risk assessment of Geospatial WeatherInformation System (GWIS) : An OWASP basedapproach
K.Ram Mohan Rao
Geoinformatics DivisionIndian Institute of Remote Sensing (NRSC)Dehradun, IndiaEmail: rammohan@iirs.gov.in
Durgesh Pant
Department of Computer ScienceKumaun UniversityNainital, IndiaEmail: durgesh.pant@gmail.com
 Abstract
—Security assessment is crucial in web applicationdevelopment environment. The Rapid Application Development(RAD) process makes the application extremely short and makesit difficult to eliminate the vulnerabilities. Here we study howweb application risk assessment technique such as risk ratingprocess can be applied to web application. We implement ourproposed mechanism the application risk assessmentmethodology using Open Web Application Security Project(OWASP) model for the security assessment of web application.The study led to quantifying different levels of risk for GeospatialWeather Information System (GWIS) using OWASP model.
 
 Keywords-Security assessment;Rapid Application Development; Risk rating.
I.
 
I
NTRODUCTION
Web application security assessment is a crucial part in theapplication development cycle. The distributed nature of weband application architecture creates difficulties in analyzing theapplication [1]. The Rapid Application Development (RAD)process makes the application extremely short and makes itdifficult to eliminate the vulnerabilities. In the process most of the applications are becoming vulnerable to attack. Althoughorganizations have many traditional precautions in theirnetwork such as firewalls, they are no longer sufficient toprotect the application across the internet. Firewalls alone can’tprotect the application from the external threat, but firewallsare integral part of the network security. To withstand webapplication against the evolving threat techniques,organizations must assess their web applications so that theyunderstand the risk they are dealing with. For example, agencyproviding data access to their users via the web applicationmust test the web application and calculate or rate the risk. Thisapproach provides, to understand the vulnerabilities associatedwith the application. Most of the cases this can be achieved byscanning the sites with legacy tools which will detect thenumber of vulnerabilities present in the site. This will give theopportunity to rectify the coding techniques to eliminate thevulnerabilities.Knowing the vulnerabilities alone will not help themanagement to improve the security of the application. Ratingthe risk of the application by considering the different factorsassociated with application will give more clarity and edge tosecure the application in a better way. By following thisapproach, organization can estimate the severity of theapplication and make an informed decision about the risk. Alsothe risk factors will priorities the issues in the application in abetter way than the random approach. The areas having morerisk can be immediately looked into, than the next prioritizedzone. In this paper, a modest attempt has been made toimplement Web Assessment Methodology (WAM) to theGeospatial Weather Information System (GWIS) applicationand risk factor has been derived by using Open WebApplication Security Project (OWASP) risk ratingmethodology.II.
 
A
PPLICATION
T
ESTING
F
RAMEWORK
Software testing has gone evolutionary process. The globalsoftware testing market value is $13 billion [2]. Generallysoftware development is up to 40% of a typical softwareproduct release budget, but testing of the software is about40% of the development budget. Hence testing phase is veryimportant for any software or application for resulting tohigher quality software. Software testing is the process used toidentify the correctness, completeness, security, and quality of the developed software programs. It is the process of thetechnical investigation to reveal the quality related informationabout the product or application. Testing furnishes criticism of the application for further improvement of the application inseveral contexts. There are three fundamental approaches forthe automotive tests of web application [3]. Black box, whitebox and gray box provide the different approaches forassessing the security of web applications. White box andblack box are the terms used to describe the point of view atest engineer takes when designing the test cases. Black boxtakes the external view of the application and white box takesinternal view. That is the application is tested from the insideusing its internal application programmatic interface(generally the API) in the white box testing, and theapplication is tested using its outward facing interface(generally GUIs) with the black box testing. Gray box testing
208http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 5, August 2010
is combination of both white box and black box testing. Itallows security analysts to run automated and manualpenetration test against a target application. Table 1 shows acomparative statement on testing technologies.
TABLE I. TESTING TECHNOLOGIES: A COMPARISONS
Pros Cons
Manual: Penetration or security acceptance by small set of people using known tools and scripts
 
Generates welltargeted tests forspecific applicationfunctions.1. Limits testing to experts whichmay lead to bottlenecks.2. Can lead to a high error ratewith recurring costs3. Limits application coveragedue to time constraints.Automated: Specific tests for individual function, built bythe code developer. Quality assessment teams build testsfrom end user perspective.Offsets expenses withimprovements inquality, reducedeffort for acceptanceand iterativedevelopmentprocesses.Requires greater overhead tocreate and maintain than manualtesting.Black box or System: Looks only at systeminput and output, modifying normal user input to make theapplication behave in unintentional ways.Uses establishedautomated test toolsthat require minimalapplicationknowledge to use.Possible only when applicationcomponents are ready for testing.White box or Source: Assesses individualcomponents for specific functional errors, often incombination with code scanning tools andpeer reviews.Uses tools that haveestablishedintegrations withdeveloper IDEs,enabling the well-defined discovery of flaws in testedfunctions.Does not uncover requirementand design flaws. May notuncover vulnerabilities to attacksinvolving multiple components orspecific timing not covered byunit testing.Gray box (Using application defined framework):Combines black- and white-box testing to create testsunavailable via commercial tools.Provides the mostcomprehensivemethod by combiningsystem and unit leveltesting.Requires that a framework bespecified during the inceptionphase and design activities.Require much effort to build thetest framework to build theapplication.Selection of particular testing methodology depends onnumber of factor(s), such as time allotted to the assessment,access to the internal application resources and goals of thetest [3].Application security is the use of software, hardware andprocedural methods to protect applications from externalthreats. Security measures built into application and soundapplication security procedures minimize the likelihood of theattack. Security is becoming an increasingly important concernduring development as applications become more frequentlyaccessible over network. As a result applications are vulnerableto a wide variety of threats. Application security can beenhanced by rigorously defining enterprise assets, identifyingwhat each application does with respect to these assets, creatingsecurity profile for each application, identifying andprioritizing potential threats, and documenting adverse eventsand the actions taken in each case. This process is known asthreat modeling [4].III.
 
G
EOSPATIAL
W
EATHER
I
NFORMATION
S
YSTEM
 Geospatial Weather Information System (GWIS) is a webbased tool for capturing, storing, retrieving and visualizationof the weather climatic data. The GWIS contains historicalclimatic data for nearly hundreds of land stations countrywide. The database is provided with both climatic daily andmonthly data. Daily data has been nearly for 150 groundstations country wide and covering temperature, rainfall,humidity details. The climatic monthly data has for wide rangeof land stations around 3000 countrywide. Daily data is beingcaptured from different sources after then arranged in GWISformat for storing in the database. The source for monthly datais Global Historical Climatology Network (GHCN). It is usedoperationally by National Climatic Data Centre (NCDC) tomonitor long-term trends in temperature and precipitation. Themission of GWIS is to integrate the weather relatedinformation from different available sources and organize thedata in structured GWIS format. The application tool isdesigned to cater the research needs of various applicationscientists working on different themes.IV.
 
R
ISK
A
SSESSMENT
M
ETHODOLOGY
 Performing web application assessment is a difficult task because of its complex application architecture. The task should be like any other software testing process – with amethodology, testing procedures, a set of helpful tools, skillsand knowledge [5]. In general, risk model involves severalfactors such as asset information based on their importance inbusiness, likely threats to these assets, associatedvulnerabilities (both technical and non-technical), severitylevels of the vulnerability, business impact factors such ascompany reputation. These factors weightage depends on theorganization structure, its goals, the impact on its applicationbusiness etc. Some models may give more weightage totechnical factors and some may give weightage to financial
209http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 5, August 2010
factors, but overall it depends on the strategy of theorganization and its goals.There are number of risk assessment models namely CVSS,OWASP, CENZIC, AS/NZ, OCTAVE, NIST, NISA, ISO1799 and ISO 27001 for assessing the risk associated with theapplication. In addition to these models there were number of other testing techniques available for web application testing[6, 7, 8], analysis [9], and reverse engineering [10, 11]. Huanget al,2003 [12] proposed a WAVES (Web ApplicationVulnerability and Error Scanner) – black box testingframework for automated web application security assessment.Scott and Sharp, 2002 used an application proxy to abstractWeb application protection strategy [13]. Huang et al, 2004describe the bounded model checking (BMC) for verifying theweb application code for automatic patching of vulnerablecode with run time guards allowing both verification andassurance occur without users intervention [14]. Again Huang,2004 proposed a holistic approach to ensure the webapplication security by static analysis and runtime protection[15]. In addition to these some more white box techniquesthat protect the web application at the development time ratherthan the deployment phase [16]. In all these listed models andtechniques the general assessment framework involves:
 
Identifying assets, possible threats andvulnerabilities.
 
Estimating the risk.
 
Determining the severity of risk.
 
Deciding the priority list to eliminate thevulnerabilities.
 
Finally, Customizing risk model with giveninputs.The ultimate objective of any model is to quantify the risk of the application at different levels by taking several factorssuch as asset information, likely threats, associatedvulnerabilities, impact of the application. It also providesuseful mechanism for organizations to prioritize their businessrisks with common remedial practices for effective securitypractices. Risk assessment process involves steps inidentifying asset information, possible threat andvulnerabilities of the application. The process ultimatelydetermines the overall risk factor involved with the applicationand will help the organization to eliminate the vulnerabilitiesof the application.
 A.
 
 Identifing assets, possible threats and countermeasures
The first step for an organization to assess the network forsecurity vulnerabilities is to understand the assets that make upthe network. This step, known as discovery, involvesidentifying all of the servers, workstations, devices, services,and applications running on the network.
 B.
 
 Assest classification
Asset classification starts with identification of assets of organization. OCTAVE-S model illustrates asset identificationas “identification of business process assets”. Most of thecases it is always better to talk to the people who can betterunderstand the organization policy and goals to classify theasset category. Asset is information, capability, an advantage,a feature, a financial or a technical resource that should bedefended from any damages, loss or disruption. The damage toan asset may affect the normal functionality of the system aswell as the individuals or organizations involved with thesystems. Normally in the web application technology assetsare database server, application server, and web server.
C.
 
Threat Classification
Threat is a specific scenario or a sequence of actions thatexploits a set of vulnerabilities and may cause damage to oneor more of the system’s assets [17]. When vulnerability isidentified, it requires at least one of the attack technique tohack the application. Figure 1 shows the common threat areas,security concerns of application. However specific threats toindividual application may differ from one application toother.Figure 1. Web application security concern areas [18]There are several attack techniques available and documentedcommonly referred as classes of attack. Web ApplicationSecurity Consortium (WASC), 2004 created and documentedthreat classification with detailed information about thepossible classes of attacks (table 2) which is quite usefulinformation for application developers, security auditors,professionals and vendors [19].
TABLE II. WASC THREAT CLASSES
ThreatClassesDescription Attack
AuthenticationChecks theidentity of userand/or service of applicationBrute ForceInsufficientauthenticationAuthorizationChecks the userand/or servicepermission toperform a requestactionCredential sessionpredictionInsufficientauthorizationClient sideattacksChecks for achance to abuse orContent spoofing,Cross site scripting
210http://sites.google.com/site/ijcsis/ISSN 1947-5500

Activity (4)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
Amos Onyancha liked this
ramkorit liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->