| With the popularity of Internet and the rapid development and profound research on web application technology, more and more web applications are deployed in the Internet, to provide a wide range of services. The web applications are exposed to potentially malicious attackers because of it’s openness, what’s more,the experience of the web application developers is another constraint for the security of web applications,which results to the incomplete security concern on web applications such as defects in designing,coding and configuration. This situation has created cause of growing incidence of attacks towards web applications.Because of its importance and the seriousness of the threat faced, web security issue has aroused great attention. While the traditional safety assurance techniques, such as firewall, IDS, IPS can only be available in function when encountering attack, and the security functions are invalid in the ordinary application scene. It’s difficult to check security function of web applications and web application servers when they are operating.In this context, the web application security assessments have great practical significance.To address these issues, we aim at web application security evaluation for research. We study the existing domestic and international general and specialized information for web application security assessment, security evaluation standards and technology, by doing this, we proposed a common web application security assessment framework building on the existing testing framework. In our research,security threats of web applications are divided into three levels:web application layer, web service layer and the underlying network layer. And we study web security assessment on these three aspects. In the end of this paper we propose an evaluating and administrating platform of web application security, the content of the studies will be integrated to the platform, which will be a push to the security of web applications evaluation work. The work and research in this paper follows:1. On the underlying network layer, we studied the technology on security assessment of web application topology. We use adjacency matrix to represent the topology and get the result by matrix comparation. We store the constraints with BDD and solve the constraints with BDD simplification. In our method, the topology conformance test is divided into two types:the one with constraints and the one without.Based on the former one which is part of the latter, we simplify the constraints and modify the matrix to solve the problem.This research plays an important part of web application security assessment in the network of border security.2. On the web application layer, we study web application-related black box testing technology and present a method for security evaluation for web applications.In our method, we store the state of applications with state machine and specify the functions by the standard.The remote black box testing is introduced to carry security assessment to get the result.We also introduced a self-learning algorithm to generate proper content in this method to find more state and security issues.3. On the web service layer, we study the web applications security evaluation technology on configration.Firstly,we do our research on configuration of web applications and the corresponding description of the configuration checking,and then we divide web services configuration into two types:the command line interface type, the text-based type.we respectively prospect security evaluation methods for these two types,and at last, we proposed a method for general assessment of the testing results.4. We proposed an evaluating and administrating platform of web application security and detailed the structure and the design of modules. This paltform are base on the common framework for web application security assessment and the the overall web application security evaluation process are implemented which can maxmize the automation of evaluation. |
PDF Full Text Request