(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 5, August 2010
factors, but overall it depends on the strategy of theorganization and its goals.There are number of risk assessment models namely CVSS,OWASP, CENZIC, AS/NZ, OCTAVE, NIST, NISA, ISO1799 and ISO 27001 for assessing the risk associated with theapplication. In addition to these models there were number of other testing techniques available for web application testing[6, 7, 8], analysis , and reverse engineering [10, 11]. Huanget al,2003  proposed a WAVES (Web ApplicationVulnerability and Error Scanner) – black box testingframework for automated web application security assessment.Scott and Sharp, 2002 used an application proxy to abstractWeb application protection strategy . Huang et al, 2004describe the bounded model checking (BMC) for verifying theweb application code for automatic patching of vulnerablecode with run time guards allowing both verification andassurance occur without users intervention . Again Huang,2004 proposed a holistic approach to ensure the webapplication security by static analysis and runtime protection. In addition to these some more white box techniquesthat protect the web application at the development time ratherthan the deployment phase . In all these listed models andtechniques the general assessment framework involves:
Identifying assets, possible threats andvulnerabilities.
Estimating the risk.
Determining the severity of risk.
Deciding the priority list to eliminate thevulnerabilities.
Finally, Customizing risk model with giveninputs.The ultimate objective of any model is to quantify the risk of the application at different levels by taking several factorssuch as asset information, likely threats, associatedvulnerabilities, impact of the application. It also providesuseful mechanism for organizations to prioritize their businessrisks with common remedial practices for effective securitypractices. Risk assessment process involves steps inidentifying asset information, possible threat andvulnerabilities of the application. The process ultimatelydetermines the overall risk factor involved with the applicationand will help the organization to eliminate the vulnerabilitiesof the application.
Identifing assets, possible threats and countermeasures
The first step for an organization to assess the network forsecurity vulnerabilities is to understand the assets that make upthe network. This step, known as discovery, involvesidentifying all of the servers, workstations, devices, services,and applications running on the network.
Asset classification starts with identification of assets of organization. OCTAVE-S model illustrates asset identificationas “identification of business process assets”. Most of thecases it is always better to talk to the people who can betterunderstand the organization policy and goals to classify theasset category. Asset is information, capability, an advantage,a feature, a financial or a technical resource that should bedefended from any damages, loss or disruption. The damage toan asset may affect the normal functionality of the system aswell as the individuals or organizations involved with thesystems. Normally in the web application technology assetsare database server, application server, and web server.
Threat is a specific scenario or a sequence of actions thatexploits a set of vulnerabilities and may cause damage to oneor more of the system’s assets . When vulnerability isidentified, it requires at least one of the attack technique tohack the application. Figure 1 shows the common threat areas,security concerns of application. However specific threats toindividual application may differ from one application toother.Figure 1. Web application security concern areas There are several attack techniques available and documentedcommonly referred as classes of attack. Web ApplicationSecurity Consortium (WASC), 2004 created and documentedthreat classification with detailed information about thepossible classes of attacks (table 2) which is quite usefulinformation for application developers, security auditors,professionals and vendors .
TABLE II. WASC THREAT CLASSES
AuthenticationChecks theidentity of userand/or service of applicationBrute ForceInsufficientauthenticationAuthorizationChecks the userand/or servicepermission toperform a requestactionCredential sessionpredictionInsufficientauthorizationClient sideattacksChecks for achance to abuse orContent spoofing,Cross site scripting