TU Darmstadt / ULB / TUbiblio

Quantifying the Attack Surface of a Web Application

Heumann, Thomas ; Türpe, Sven ; Keller, Jörg
ed.: Freiling, Felix (2010)
Quantifying the Attack Surface of a Web Application.
Bonn
Conference or Workshop Item, Bibliographie

Abstract

The attack surface of a system represents the exposure of application objects to attackers and is affected primarily by architecture and design decisions. Given otherwise consistent conditions, reducing the attack surface of a system or an application is expected to reduce its overall vulnerability. So far, only systems have been considered but not single applications. As web applications provide a large set of applications built upon a common set of concepts and technologies, we choose them as an example, and provide qualitative and quantitative indicators. We propose a multi-dimensional metric for the attack surface of web applications, and discuss the rationale behind. Our metric is easy to use. It comprises both a scalar numeric indicator for easy comparison and a more detailed vector representation for deeper analysis. The metric can be used to guide security testing and development. We validate the applicability and suitability of the metric with popular web applications, of which knowledge about their vulnerability already exists.

Item Type: Conference or Workshop Item
Erschienen: 2010
Editors: Freiling, Felix
Creators: Heumann, Thomas ; Türpe, Sven ; Keller, Jörg
Type of entry: Bibliographie
Title: Quantifying the Attack Surface of a Web Application
Language: English
Date: 2010
Publisher: Bonner Köllen Verlag
Book Title: Sicherheit 2010: Sicherheit, Schutz und Zuverlässigkeit.
Series: Lecture Notes in Informatics (LNI)
Series Volume: P-170
Event Location: Bonn
Abstract:

The attack surface of a system represents the exposure of application objects to attackers and is affected primarily by architecture and design decisions. Given otherwise consistent conditions, reducing the attack surface of a system or an application is expected to reduce its overall vulnerability. So far, only systems have been considered but not single applications. As web applications provide a large set of applications built upon a common set of concepts and technologies, we choose them as an example, and provide qualitative and quantitative indicators. We propose a multi-dimensional metric for the attack surface of web applications, and discuss the rationale behind. Our metric is easy to use. It comprises both a scalar numeric indicator for easy comparison and a more detailed vector representation for deeper analysis. The metric can be used to guide security testing and development. We validate the applicability and suitability of the metric with popular web applications, of which knowledge about their vulnerability already exists.

Uncontrolled Keywords: Secure Services;Web Application; Attack Surface; Black Box; Vulnerability; Measurement; Security Metrics, Attack Surface Metric
Identification Number: TUD-CS-2010-1880
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
LOEWE
Date Deposited: 30 Dec 2016 20:23
Last Modified: 17 May 2018 13:02
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details