| With the rapid development and popularization of network and its technology, Web applications have been widely applied in Internet and Intranet. As the functionality and interactivity of Web application strengthen continuously, the corresponding Web vulnerabilities and malicious attacks emerged and exposed a trend of exponential growth. All of these lead to the frequent occurrence of various security incidents, which have brought serious threats to personal privacy security, enterprise security and social stability. Therefore, how to ensure the security of Web application has become the widespread focal point in security community.This paper adopts related theory of Security Development Lifecycle (SDL), considering with the perspective of the integrity of Web safety engineering. We studied three key areas of technologies about Web security design, implementation and running test, included survivability Web security threats modeling, Web security function, the general vulnerability description language and Web security testing.This paper summarizes the recent development of Web security technology and security products. We introduce the current research situation and major threats to Web security, and propose a concept of survivability Web security threats modeling, on which the function, characteristic, method, and modeling steps has been analyzed. The corresponding threat modeling use case has been given and implemented by using the appropriate Web security mechanisms provided by the.NET development language. Then we analyze 5 commonly used Web security comprehensive evaluation tools and compare their performance. We also summarize the advantages and disadvantages of these tools. After that, a generic model of Web security evaluation framework has been proposed. Meanwhile, some Web security evaluation indicators and the evaluation management methods are given.For better sharing and compatible with the vulnerability information among the vulnerability database of various security products, we propose a XML-based Web application security Uniform Vulnerability Description Language (UVDL). We also design the structured XML file and the main framework file of UVDL.We finally achieve a UVDL-based Web security penetration testing tool, compare its performance with Web security comprehensive evaluation tools and OVAL-compatible evaluation component. Test results show that this penetration testing tool has the advantage of higher test speed, better sharing and compatible quality. Furthermore, this tool could effective detect the vulnerability in use cases and better protect of the Web application security. |
PDF Full Text Request