An Ontological Approach to Mitigate Risk in Web Applications
Resumo
Information Security (InfoSec) is becoming a high priority asset to support business activities, as organizations struggle to assure that data is available and secure in web applications. However, security is not a concern from the beginning of the development process, mainly because developers are not security specialists. Consequently, vulnerable systems are designed and when attacked can compromise organization's data and operations, enclosing high financial losses. Because most attacks targets the application layer, we propose an intelligent approach based on ontology to mitigate risks in web applications. An ontological approach can contribute to InfoSec knowledge dissemination and reduce the burden of implementing secure web applications on organizations. The ontology is based on the OWASP Top 10 Project, applied to reduce the gap between the application developer and the security knowledge. The proposed model is employed in the development's design phase; with more secure web applications as the outcome. The extensible and reusable developed ontology is evaluated in a prototype scenario of a web application named 'SMS Broadcast'. The results show that vulnerabilities can be reduced by increasing the security awareness of web developers during the application development process.
Referências
About OWASP. (2014). Retrieved June 10, 2014, from https://www.owasp.org/index.php/About_OWASP
Almeida, M. B. (2007). Aplicação de ontologias em segurança da informação. Diretoria da Prodemge. Revista Fonte, 4(7),75-83.
Almeida, M. B., and Bax, M. P. (2003). Uma visão geral sobre ontologias: pesquisa sobre definições, tipos, aplicações, métodos de avaliação e de construção. Ciência da Informação, Brasília, 32(3), 7-20.
Almeida, M. B., Souza, R. R., and Coelho, K. C. (2010). Uma proposta de ontologia de domínio para segurança da informação em organizações: descrição do estágio terminológico. Informação & Sociedade: Estudos, 20(1).
Bai, X., and Zhou, X. (2011). Development of Ontology-Based Information System Using Formal Concept Analysis and Association Rules. In Advances in Computer Science, Intelligent System and Environment (pp. 121-126). Springer Berlin Heidelberg.
Clark and Parsia (2011). "Pellet: OWL 2 Reasoner for Java". Retrieved June 18, 2014, from http://clarkparsia.com/pellet/protege/
Curphey, M., and Arawo, R. (2006). Web application security assessment tools. Security & Privacy, IEEE, 4(4), 32-41.
Cyberattacks. (2013). Retrieved June 10, 2014, from [link].
CWE/SANS TOP. 25 (2011). Retrieved June 11, 2014, from http://www.sans.org/top25-software-errors/
da Silva, B. A., Ellwanger, C. (2012). CODI Methodology for Managing Security in Web Application Development.
da Silva, P. F., Otte, H., Todesco, J. L., and AO, F. (2011). Uma ontologia para gestão de segurança da informação. In: IV Seminário de Pesquisa em Ontologia no Brasil (p. 141).
de Azevedo, R. R., Almeida, M. J. S., and Barros Filho, C. (2007). Uma Ontologia Genérica de Segurança Aplicada a Gestão de Processos de Negócios. In: I Workshop Brasilieiro em Gerenciamento de Processos de Negócios (WBPM).
Dhillon, G., and Backhouse, J. (2000). Information System Security Management in the New Millennium. Communications of the ACM, 43(7), 125.
Guarino, N. (Ed.). (1998). Formal ontology in information systems: Proceedings of the first international conference (FOIS'98), June 6-8, Trento, Italy (Vol. 46). IOS press.
Gordon, L. A., and Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438-457.
Gruber, T. R. (1993). A translation approach to portable ontology specifications. Knowledge acquisition, 5(2), 199-220.
Jacobson, I., Booch, G., Rumbaugh, J., Rumbaugh, J., and Booch, G. (1999). The unified software development process (Vol. 1). Reading: Addison-Wesley.
Key Findings. (2013). Retrieved June 11, 2014, from [link].
Martimiano, L. A., and Moreira, E. S. (2005). Using ontologies to assist security management. In Proceedings of the 8th International Protégé Conference.
Noy, N. F., and McGuinness, D. L. (2001). Ontology development 101: A guide to creating your first ontology, from [link].
Only 10%. (2005). Retrieved June 10, 2014, from [link].
OWASP TOP 10 Project. (2014). Retrieved June 10, 2014, from https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP SAMM Project. (2013). Retrieved June 10, 2014, from https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
PCI (2009). Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures, version 1.2.1. PCI Security Standards Council.
Peltier, T. R. (2013). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Pérez, J., Arenas, M., and Gutierrez, C. (2006). Semantics and Complexity of SPARQL. In The Semantic Web-ISWC 2006 (pp. 30-43). Springer Berlin Heidelberg.
Raskin, V., Hempelmann, C. F., Triezenberg, K. E., and Nirenburg, S. (2001). Ontology in information security: a useful theoretical foundation and methodological tool. In Proceedings of the 2001 workshop on New security paradigms (pp. 53-59). ACM.
Razzaq, A., Ahmed, H. F., Hur, A., and Haider, N. (2009, February). Ontology based application level intrusion detection system by using bayesian filter. In Computer, Control and Communication, 2009. IC4 2009. 2nd International Conference on (pp. 1-6). IEEE.
Rosa, T. M., Santin, A. O., and Malucelli, A. (2011). Uma Ontologia para Mitigar XML Injection. In: XI Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), p. 1-14.
The Strengths of Combining Code Review with Application Penetration Testing. (2009). Retrieved June 12, 2014, from [link].
Uto, N., and Melo, S. P. (2009). Vulnerabilidades em Aplicações Web e Mecanismos de Proteção. Minicursos SBSeg.
Weske, M. (2007). Concepts, Languages, Architectures (Vol. 14). Berlin: Springer-Verlag. New York, Inc., Secaucus, NJ, United States.
Whitman, M., and Mattord, H. (2011). Principles of information security (3rd ed). Course Technology Press, Boston, MA, United States.
Almeida, M. B. (2007). Aplicação de ontologias em segurança da informação. Diretoria da Prodemge. Revista Fonte, 4(7),75-83.
Almeida, M. B., and Bax, M. P. (2003). Uma visão geral sobre ontologias: pesquisa sobre definições, tipos, aplicações, métodos de avaliação e de construção. Ciência da Informação, Brasília, 32(3), 7-20.
Almeida, M. B., Souza, R. R., and Coelho, K. C. (2010). Uma proposta de ontologia de domínio para segurança da informação em organizações: descrição do estágio terminológico. Informação & Sociedade: Estudos, 20(1).
Bai, X., and Zhou, X. (2011). Development of Ontology-Based Information System Using Formal Concept Analysis and Association Rules. In Advances in Computer Science, Intelligent System and Environment (pp. 121-126). Springer Berlin Heidelberg.
Clark and Parsia (2011). "Pellet: OWL 2 Reasoner for Java". Retrieved June 18, 2014, from http://clarkparsia.com/pellet/protege/
Curphey, M., and Arawo, R. (2006). Web application security assessment tools. Security & Privacy, IEEE, 4(4), 32-41.
Cyberattacks. (2013). Retrieved June 10, 2014, from [link].
CWE/SANS TOP. 25 (2011). Retrieved June 11, 2014, from http://www.sans.org/top25-software-errors/
da Silva, B. A., Ellwanger, C. (2012). CODI Methodology for Managing Security in Web Application Development.
da Silva, P. F., Otte, H., Todesco, J. L., and AO, F. (2011). Uma ontologia para gestão de segurança da informação. In: IV Seminário de Pesquisa em Ontologia no Brasil (p. 141).
de Azevedo, R. R., Almeida, M. J. S., and Barros Filho, C. (2007). Uma Ontologia Genérica de Segurança Aplicada a Gestão de Processos de Negócios. In: I Workshop Brasilieiro em Gerenciamento de Processos de Negócios (WBPM).
Dhillon, G., and Backhouse, J. (2000). Information System Security Management in the New Millennium. Communications of the ACM, 43(7), 125.
Guarino, N. (Ed.). (1998). Formal ontology in information systems: Proceedings of the first international conference (FOIS'98), June 6-8, Trento, Italy (Vol. 46). IOS press.
Gordon, L. A., and Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438-457.
Gruber, T. R. (1993). A translation approach to portable ontology specifications. Knowledge acquisition, 5(2), 199-220.
Jacobson, I., Booch, G., Rumbaugh, J., Rumbaugh, J., and Booch, G. (1999). The unified software development process (Vol. 1). Reading: Addison-Wesley.
Key Findings. (2013). Retrieved June 11, 2014, from [link].
Martimiano, L. A., and Moreira, E. S. (2005). Using ontologies to assist security management. In Proceedings of the 8th International Protégé Conference.
Noy, N. F., and McGuinness, D. L. (2001). Ontology development 101: A guide to creating your first ontology, from [link].
Only 10%. (2005). Retrieved June 10, 2014, from [link].
OWASP TOP 10 Project. (2014). Retrieved June 10, 2014, from https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP SAMM Project. (2013). Retrieved June 10, 2014, from https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
PCI (2009). Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures, version 1.2.1. PCI Security Standards Council.
Peltier, T. R. (2013). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Pérez, J., Arenas, M., and Gutierrez, C. (2006). Semantics and Complexity of SPARQL. In The Semantic Web-ISWC 2006 (pp. 30-43). Springer Berlin Heidelberg.
Raskin, V., Hempelmann, C. F., Triezenberg, K. E., and Nirenburg, S. (2001). Ontology in information security: a useful theoretical foundation and methodological tool. In Proceedings of the 2001 workshop on New security paradigms (pp. 53-59). ACM.
Razzaq, A., Ahmed, H. F., Hur, A., and Haider, N. (2009, February). Ontology based application level intrusion detection system by using bayesian filter. In Computer, Control and Communication, 2009. IC4 2009. 2nd International Conference on (pp. 1-6). IEEE.
Rosa, T. M., Santin, A. O., and Malucelli, A. (2011). Uma Ontologia para Mitigar XML Injection. In: XI Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), p. 1-14.
The Strengths of Combining Code Review with Application Penetration Testing. (2009). Retrieved June 12, 2014, from [link].
Uto, N., and Melo, S. P. (2009). Vulnerabilidades em Aplicações Web e Mecanismos de Proteção. Minicursos SBSeg.
Weske, M. (2007). Concepts, Languages, Architectures (Vol. 14). Berlin: Springer-Verlag. New York, Inc., Secaucus, NJ, United States.
Whitman, M., and Mattord, H. (2011). Principles of information security (3rd ed). Course Technology Press, Boston, MA, United States.
Publicado
03/11/2014
Como Citar
MARQUES, Marcius M.; RALHA, Célia G..
An Ontological Approach to Mitigate Risk in Web Applications. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 14. , 2014, Belo Horizonte.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2014
.
p. 251-264.
DOI: https://doi.org/10.5753/sbseg.2014.20135.
