TU Darmstadt / ULB / TUbiblio

Quantifying the Attack Surface of a Web Application

Heumann, Thomas and Türpe, Sven and Keller, Jörg
Freiling, Felix (ed.) (2010):
Quantifying the Attack Surface of a Web Application.
In: Sicherheit 2010: Sicherheit, Schutz und Zuverlässigkeit., Bonner Köllen Verlag, Bonn, In: Lecture Notes in Informatics (LNI), P-170, ISBN 978-3-88579-264-2,
[Conference or Workshop Item]

Abstract

The attack surface of a system represents the exposure of application objects to attackers and is affected primarily by architecture and design decisions. Given otherwise consistent conditions, reducing the attack surface of a system or an application is expected to reduce its overall vulnerability. So far, only systems have been considered but not single applications. As web applications provide a large set of applications built upon a common set of concepts and technologies, we choose them as an example, and provide qualitative and quantitative indicators. We propose a multi-dimensional metric for the attack surface of web applications, and discuss the rationale behind. Our metric is easy to use. It comprises both a scalar numeric indicator for easy comparison and a more detailed vector representation for deeper analysis. The metric can be used to guide security testing and development. We validate the applicability and suitability of the metric with popular web applications, of which knowledge about their vulnerability already exists.

Item Type: Conference or Workshop Item
Erschienen: 2010
Editors: Freiling, Felix
Creators: Heumann, Thomas and Türpe, Sven and Keller, Jörg
Title: Quantifying the Attack Surface of a Web Application
Language: ["languages_typename_1" not defined]
Abstract:

The attack surface of a system represents the exposure of application objects to attackers and is affected primarily by architecture and design decisions. Given otherwise consistent conditions, reducing the attack surface of a system or an application is expected to reduce its overall vulnerability. So far, only systems have been considered but not single applications. As web applications provide a large set of applications built upon a common set of concepts and technologies, we choose them as an example, and provide qualitative and quantitative indicators. We propose a multi-dimensional metric for the attack surface of web applications, and discuss the rationale behind. Our metric is easy to use. It comprises both a scalar numeric indicator for easy comparison and a more detailed vector representation for deeper analysis. The metric can be used to guide security testing and development. We validate the applicability and suitability of the metric with popular web applications, of which knowledge about their vulnerability already exists.

Title of Book: Sicherheit 2010: Sicherheit, Schutz und Zuverlässigkeit.
Series Name: Lecture Notes in Informatics (LNI)
Volume: P-170
Publisher: Bonner Köllen Verlag
ISBN: 978-3-88579-264-2
Uncontrolled Keywords: Secure Services;Web Application; Attack Surface; Black Box; Vulnerability; Measurement; Security Metrics, Attack Surface Metric
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
LOEWE
Event Location: Bonn
Date Deposited: 30 Dec 2016 20:23
Identification Number: TUD-CS-2010-1880
Export:
Suche nach Titel in: TUfind oder in Google

Optionen (nur für Redakteure)

View Item View Item