Vulnerability and Remediation for a High-assurance Web-based Enterprise

William R. Simpson, Coimbatore Chandersekaran

2014

Abstract

A process for fielding vulnerability free software in the enterprise is discussed. This process involves testing for known vulnerabilities, generic penetration testing and threat specific testing coupled with a strong flaw remediation process. The testing may be done by the software developer or certified testing laboratories. The goal is to mitigate all known vulnerabilities and exploits, and to be responsive in mitigating new vulnerabilities and/or exploits as they are discovered. The analyses are reviewed when new or additional threats are reviewed and prioritized with mitigation through the flaw remediation process, changes to the operational environment or the addition of additional controls or products). This process is derived from The Common Criteria for Information Technology Security Evaluation, Common Evaluation Methodology which covers both discovery and remediation. The process has been modified for the USAF enterprise.

References

  1. Common Criteria for Information Technology Security Evaluation, 2009 (all version 3.1, revision 3): a) Part 1: Introduction and general model. b) Part 2: Functional security components. c) Part 3: Assurance security components. d) Common Methodology for Information Technology Security Evaluation.
  2. CMMI Institute, 2013, Standard CMMI Appraisal Method for Process Improvement (SCAMPI) Version 1.3a: Method Definition Document for SCAMPI A, B, and C, http://cmmiinstitute.com/resource/standard-cmmiappraisal-method-process-improvement-scampi-b-cversion-1-3a-method-definition-document/
  3. Department of Defense, 2012a, Committee on National Security Systems Instruction (CNSSI) No. 1253, “Security Categorization and Control Selection for National Security Systems' categories for Moderate or High Risk Impact as delineated in NIST 800-53.
  4. Department of Defense, 2012b, DoD Directive (DoDD) O-8530.1, Computer Network Defense (CND).
  5. Finifter, Matthew, et. al., “An Empirical Study of Vulnerability Rewards Programs”, USENIX Security 2013, August 15, 2013.
  6. HP Security Tools, 2013, http://h20331.www2.hp.com/ hpsub/cache/281822-0-0-225-121.html?jumpid=ex_ 2845_vanitysecur/productssecurity/ka011106
  7. Huang, Y.-W., et. al., 2004, “Securing web application code by static analysis and runtime protection,” in WWW 7804: Proceedings of the 13th international conference on World Wide Web. New York, NY, USA: ACM, , pp. 40-52.
  8. IBM Rational, 2013, http://www.03.ibm.com /software/products /us/en/appscan
  9. Intel Compilers, 2013, http://software.intel.com/enus/intel-compilers/
  10. Kiezun, A., et. al., 2009, “Automatic creation of SQL injection and cross-site scripting attacks,” in ICSE'09, Proceedings of the 30th International Conference on Software Engineering, Vancouver, BC, Canada, May 20-22.
  11. Jones, Paul, 2010, "A Formal Methods-based verification approach to medical device software analysis". Embedded Systems Design., http://www.embedded. com/design/prototyping-and-development/4008888/ A-Formal-Methods-based-verification-appro ach-tomedical-device-software-analysis
  12. Jovanovic, N., et. al., 2006, “Pixy: A static analysis tool for detecting web application vulnerabilities (short paper),” in 2006 IEEE Symposium on Security and Privacy, pp. 258-263, [Online]. Available: http:// www.iseclab.org/papers/pixy.pdf
  13. Kals, S., et. al., 2006, “Secubat: a web vulnerability scanner,” in WWW 7806: Proc. 15th Int'l Conf. World Wide Web, pp. 247-256.
  14. Livshits, Benjamin, 2006, Improving Software Security with Precise Static and Runtime Analysis, , section 7.3 "Static Techniques for Security," Stanford doc. thesis.
  15. Livshits B., et. al., 2008, “Securing web applications with static and dynamic information flow tracking,” in PEPM 7808: Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics based program manipulation. New York, NY, USA: ACM, pp. 3-12.
  16. Maggi, F., 2009, “Protecting a moving target: Addressing web application concept drift,” in RAID, pp. 21-40.
  17. Mitre, 2013a, Common Vulnerability and Exposures, http://cve.mitre.org/
  18. Mitre, 2013b, Common Weakness Enumeration, http://cwe.mitre.org/
  19. Mcallister, S., et. al., 2008, “Leveraging user interactions for in-depth testing of web applications,” in RAID 7808: Proc. 11th Int'l Symp. Recent Advances in Intrusion Detection, pp. 191-210.
  20. Mosaic, 2013, http://mosaicsecurity.com/categories/27- network-penetration-testing
  21. NIST, 2006, National Voluntary Laboratory Accreditation Program, http://www.nist.gov/nvlap/upload/nisthandbook-150.pdf
  22. NIST, 2009, National Institute of Standards, Gaithersburg, Md: FIPS PUB 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 3, August 2009.
  23. NIST, 2013, National Vulnerability Database, http://nvd.nist.gov/
  24. Simpson, William R, et.al.., 2011, Lecture Notes in Engineering and Computer Science, Proceedings World Congress on Engineering and Computer Science, Volume I, “High Assurance Challenges for Cloud Computing”, pp. 61-66, Berkeley, CA.
  25. Simpson, William R, and Chandersekaran, C.., 2012a, Lecture Notes in Engineering and Computer Science, Proceedings World Congress on Engineering, The 2012 International Conference of Information Security and Internet Engineering, Volume I, “Claims-Based Enterprise-Wide Access Control”, pp. 524-529, London,.
  26. Simpson, William R, and Chandersekaran, C.., 2012b, International Journal of Scientific Computing, Vol. 6, No. 2, “A Uniform Claims-Based Access Control for the Enterprise”, ISSN: 0973-5'X, pp. 1-23.
  27. The Open Web Application Security Project (OWASP), 2013, https://www.owasp.org/index.php/Main_Page
  28. Wassermann G. and Z. Su, 2007, “Sound and precise analysis of Web Applications for Injection Vulnerabilities,” SIGPLAN Not., vol.42, no.6, pp.32-41.
  29. Wichmann, B. A., et. al. 1995, Industrial Perspective on Static Analysis. Software Engineering Journal, 69-75.
Download


Paper Citation


in Harvard Style

R. Simpson W. and Chandersekaran C. (2014). Vulnerability and Remediation for a High-assurance Web-based Enterprise . In Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-758-028-4, pages 119-128. DOI: 10.5220/0004760501190128


in Bibtex Style

@conference{iceis14,
author={William R. Simpson and Coimbatore Chandersekaran},
title={Vulnerability and Remediation for a High-assurance Web-based Enterprise},
booktitle={Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2014},
pages={119-128},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004760501190128},
isbn={978-989-758-028-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - Vulnerability and Remediation for a High-assurance Web-based Enterprise
SN - 978-989-758-028-4
AU - R. Simpson W.
AU - Chandersekaran C.
PY - 2014
SP - 119
EP - 128
DO - 10.5220/0004760501190128