This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessment...This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.展开更多
Cloud storage is an incipient technology in today’s world.Lack of security in cloud environment is one of the primary challenges faced these days.This scenario poses new security issues and it forms the crux of the c...Cloud storage is an incipient technology in today’s world.Lack of security in cloud environment is one of the primary challenges faced these days.This scenario poses new security issues and it forms the crux of the current work.The current study proposes Secure Interactional Proof System(SIPS)to address this challenge.This methodology has a few key essential components listed herewith to strengthen the security such as authentication,confidentiality,access control,integrity and the group of components such as AVK Scheme(Access List,Verifier and Key Generator).It is challenging for every user to prove their identity to the verifier who maintains the access list.Verification is conducted by following Gulliou-Quisquater protocol which determines the security level of the user in multi-step authentication process.Here,RSA algorithm performs the key generation process while the proposed methodology provides data integrity as well as confidentiality using asymmetric encryption.Various methodological operations such as time consumption have been used as performance evaluators in the proposed SIPS protocol.The proposed solution provides a secure system for firm data sharing in cloud environment with confidentiality,authentication and access control.Stochastic Timed Petri(STPN)Net evaluation tool was used to verify and prove the formal analysis of SIPS methodology.This evidence established the effectiveness of the proposed methodology in secure data sharing in cloud environment.展开更多
文摘This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.
文摘Cloud storage is an incipient technology in today’s world.Lack of security in cloud environment is one of the primary challenges faced these days.This scenario poses new security issues and it forms the crux of the current work.The current study proposes Secure Interactional Proof System(SIPS)to address this challenge.This methodology has a few key essential components listed herewith to strengthen the security such as authentication,confidentiality,access control,integrity and the group of components such as AVK Scheme(Access List,Verifier and Key Generator).It is challenging for every user to prove their identity to the verifier who maintains the access list.Verification is conducted by following Gulliou-Quisquater protocol which determines the security level of the user in multi-step authentication process.Here,RSA algorithm performs the key generation process while the proposed methodology provides data integrity as well as confidentiality using asymmetric encryption.Various methodological operations such as time consumption have been used as performance evaluators in the proposed SIPS protocol.The proposed solution provides a secure system for firm data sharing in cloud environment with confidentiality,authentication and access control.Stochastic Timed Petri(STPN)Net evaluation tool was used to verify and prove the formal analysis of SIPS methodology.This evidence established the effectiveness of the proposed methodology in secure data sharing in cloud environment.
