Abstract
M.Sc. (Computer Science)
Web applications have been the target of endless attacks which reach unprecedented levels every year. As described in various security publications, a wide variety of web applications are targeted, affecting all industries. Furthermore, sophisticated targeted attacks, where attackers observe and subsequently target web applications visited by their targeted victim group, leave no web application immune to potential attacks. The root cause of such exposures are vulnerabilities found within web applications. The purpose of this dissertation is to improve the security of web applications, specifically by addressing vulnerabilities found in web applications.
Security measures are well researched and defined in the Secure Software Development Life Cycle (S-SDLC) and are actively applied by the industry in an attempt to secure web applications. However, despite applying various mitigating measures, including security measures, annual security reports from various specialist organisations report that 70% to 80% of scanned web applications contain several critical vulnerabilities. These critical vulnerabilities are vulnerabilities listed on the OWASP Top 10. The OWASP Top 10 represents a broad consensus of the most critical security risks to web applications. These critical vulnerabilities are well documented, with technical details as to how such vulnerabilities can be detected and avoided. Noteworthy is that the vulnerabilities listed on the OWASP Top 10 account for more than 85% of successful exploits. The same critical vulnerabilities listed on the OWASP Top 10 are discovered in web applications, year after year.
Surveys by specialist organisations in the field, found that the effect of security measures in the S-SDLC are situation dependent and suggest the implementation of a comprehensive metrics program. Such a comprehensive metrics program would include the continuous measurement of the security posture of a web application, tracking of progress over time and in so doing, serve as a guide for which of the SDLC-related activities are effective.
The aim of this dissertation is to develop a process for web applications which realises continuous, automated vulnerability self-assessment conducted during the development phase.
In order to achieve the aim of this dissertation, firstly, a theoretical model of the process to conduct continuous automated vulnerability assessments during the development phase of a web application was defined. Furthermore, based on this theoretical model, a prototype was developed. The prototype is named the Vulnerability Test Network Prototype, referred to as VTNP from here onwards. The VTNP realizes the theoretical model.
The deliverable of this dissertation is an artefact, the VTNP. The VTNP is an automated process, integrated into the development process, specifically the continuous integration (CI) build process, which scans a web application for vulnerabilities, reports and stores the results for each iteration. The VTNP determines the security posture of a web application as early as possible in the implementation phase, specifically during the continuous integration (CI) build process, and does this continuously as the web application is enhanced and changed. In so doing, the VTNP provides the information for tracking and measuring the security posture of a web application and guides appropriate actions to be taken...