№2, 2013

WEB SECURITY ASSESSMENT METHODS ANALYSIS

Yadigar N. İmamverdiyev, Latif A. Tarverdiyev

Web technologies are widespread as a means of e-government services, business implementations, social networking and social media. It brings a number of information security issues and becomes an attractive target for web system malware. The paper analyzes the web security components, methodological approaches to web security assessment, the methods for detecting gaps of web-applications, and reputation systems web-sites. (pp. 23-32)

Keywords: web security, web application security, web reputation systems, TrustRank, SQL injection attacks, XSS attacks,Web Mining
References
  • Baum C., Di Maio A. Gartners four phases of e-government model, 2000, http://www.gartner.com/DisplayDocument?id=317292.
  • Positive Technologies статистика уязвимостей веб-приложений, 2012, http://ptsecurity.ru/download/analitika_web.pdf.
  • Websense Security Labs State of Internet Security, Q3 – Q4, 2008, http://community.websense.com/blogs/websense-features/archive/2010/02/01/websense-security-labs-report-state-of-internet-security-q3-q4-2009.aspx.
  • Tappenden A.F., Beatty P., Miller J. Security Testing of Web-Based Systems via HTTPUnit. AGILE , 2005, pp.29–38.
  • Business Justification for Application Security Assessment, 
    https: //www.Owasp .org/index. php/Business_Justification_for_Application_Security Assesment.
  • OWASP Testing Project, http://www.owasp.org/index.php/Category:OWASP_Testing_Project.
  • The OpenWeb Application Security Project. OWASP Testing Guide V3.0, http://www.owasp.org/index.php/Category:OWASP_Testing_Project.
  • Imamverdiyev Y.N., Tarverdiyev L.A. Analysis of web security vulnerabilities / 1st National Scientific-Practical Conference on “Problems of Information Security” dedicated to the 90th birthday anniversary of national leader of the Azerbaijani people Heydar Aliyev, 2013, pp. 122–125.
  • The WASC Threat Classification v2.0, http://projects.webappsec.org/w/page/13246978/Threat%20Classification.
  • Arkin B., Stender S., McGraw G. Software penetration testing. IEEE Security & Privacy, 2005, no.3, pp. 84–87.
  • Thompson H.H. Application penetration testing. IEEE Security & Privacy, 2005, no.3,   66–69.
  • Hope P.,Walther B. Web Security Testing Cookbook. O’Reilly, Sebastopol, 2008, pp.1–285.
  • Antunes N., and Vieira M. Security Testing in SOAs: Techniques and Tools, in Innovative technologies for dependable OTS-based critical systems, 2013, vol. 1, pp. 159–174.
  • Jovanovic N., Kruegel C., Kirda E. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper) / Proc. of the 2006 IEEE Symposium on Security and Privacy, 2006, pp. 258–263.
  • Halfond W., Orso A. AMNESIA: Analysis and Monitoring for NEutralizing SQLInjection Attacks / Proc. of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2005, pp. 174–183.
  • Chinotec Technologies Company. Paros, http://www.parosproxy.org
  • Zhao R., Lyu M.R. Character String Predicate Based Automatic Software Test Data Generation / Proc. of the Third international Conference on Quality Software (QSIC 2003), 2003, pp. 255–262.
  • How Web Reputation increases your online protection / GFI white paper, 2011, 2–7.
  • Website reputation ratings, http://en.wikipedia.org/wiki/Website_reputation_ratings#cite_note-1.
  • WOT (Web of Trust), http://www.mywot.com/ru/support/tour
  • CISCO IronPort Web Reputation Technology: Protecting Against URL Based Threats http://www.cisco.com/en/US/prod/vpndevc/ps10142/ps10164/web_rep_index.html.
  • Gyongyi Z., Garcia-Molina H., Pedersen J. Combating Web Spam with TrustRank / Proc. of the 30th VLDB Conference, Toronto, Canada, 2004, pp. 576–587.
  • Bianchini M., Gori M. and Scarselli F. Inside Page-Rank. Tech. rep., University of Siena, 2003, pp. 92–128.
  • Langville A. and Meyer C. Deeper inside PageRank. Tech. rep., North Carolina State University, 2003, pp. 1–33.
  • Hsinchun C., Michael C. Web Mining: Machine Learning for Web Applications // Annual Review of Information Science and Technology (ARIST), 2004, vol. 38, pp. 289–329.
  • Sivaramakrishnan J., Balakrishnan V. Web Mining Functions in an Academic Search Application / Faculty of Computer Science and Engineering, BITS – PILANI, Dubai, U.A.E, 2009, pp. 132–139.
  • Srivastava J., Desikan P., Kumar V. Web Mining – Concepts, Applications, and Research Directions / Chapter 21, 2004, pp. 51–71.
  • Bing L. Web Data Mining: Exploring Hyperlinks, Contents, and Usage Data. Springer, 2011, 642 p.
  • Paola B., Damian M., Hernan M., Ramón G.M. Web Usage Mining Using Self Organized Maps // IJCSNS International Journal of Computer Science and Network Security, 2007, vol.7, №6, pp. 45–50.
  • Sharma A. Web Usage Mining: Data Preprocessing, Pattern Discovery and Pattern Analysis on the RIT Web Data, 2008, pp. 1–44.
  • Zhang G., Gu G., Li J. The design and implementation of web mining in web sites security // Journal of Marine Science and Application, 2003, vol. 2, №1, pp. 81–86.
  • Joshila L.K.G., Maheswari V., Dhinaharan N. Analysis of web logs and web user in Web Mining // International Journal of Network Security & Its Applications, 2011, vol.3, №1, pp.99–110.
  • Юсифов Ф.Ф. Извлечение знаний из Internet c использованием лог-файлов // Проблемы информационных технологий, 2010, №1, c.45–54.
  • Malika M., Bharat B., Mukesh M. Data Mining for web security: UserWatcher / CERIAS Tech Report 2001-20, https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2001-20.pdf.