A Metamodel for Web Application Injection Attacks and Countermeasures

Holm, Hannes; Ekstedt, Mathias

doi:10.1007/978-3-642-34163-2_12

Cited by 6 publications

(7 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A number of such countermeasures were identified during the pre-study [9], and we plan to study them utilizing the same approach as is presented in this paper.…”

Section: Discussionmentioning

confidence: 99%

“…Technical measures, process measures and organizational measures are all of relevance [8]. This study uses variables identified through a previous research [9] involving a literature review and expert judgment. This previous study is summarized in this section -the reader is referred to [9] for more comprehensive details.…”

Section: Model and Assumptionsmentioning

confidence: 99%

“…Regarding (ii), the choice of variables and their assumptions was made based on a pre-study involving both literature review and domain experts [9]. Concerning data collection methodology, Cooke [7] suggests that seven guidelines should be followed when data is elicited from experts.…”

Section: Validity and Reliabilitymentioning

confidence: 99%

See 2 more Smart Citations

Effort Estimates on Web Application Vulnerability Discovery

Holm

Ekstedt

Sommestad

2013

2013 46th Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

Web application vulnerabilities are widely considered a serious concern. However, there are as of yet scarce data comparing the effectiveness of different security countermeasures or detailing the magnitude of the security issues associated with web applications. This paper studies the effort that is required by a professional penetration tester to find an input validation vulnerability in an enterprise web application that has been developed in the presence or absence of four security measures: (i) developer web application security training, (ii) type-safe API's, (iii) black box testing tools, or (iv) static code analyzers. The judgments of 21 experts are collected and combined using Cooke's classical method. The results show that 53 hours is enough to find a vulnerability with a certainty of 95% even though all measures have been employed during development. If no measure is employed 7 hours is enough to find a vulnerability with 95% certainty.

show abstract

“…A number of such countermeasures were identified during the pre-study [9], and we plan to study them utilizing the same approach as is presented in this paper.…”

Section: Discussionmentioning

confidence: 99%

Section: Model and Assumptionsmentioning

confidence: 99%

See 1 more Smart Citation

Effort Estimates on Web Application Vulnerability Discovery

Holm

Ekstedt

Sommestad

2013

2013 46th Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

show abstract

“…P 2 CySeMoL adds four important assets to the scope of Cy-SeMoL: SocialZone, NetworkVulnerabilityScanner [32], We-bApplication [33], [34] and WebApplicationFirewall [33], [35].…”

Section: Assets Attacks and Defensesmentioning

confidence: 99%

“…A WebApplication [33], [34] is a software written in a script language that is published by an HTTP server (an ApplicationServer). It is typically a combination of both server-side scripts (e.g., PHP) and client-side scripts (e.g., JavaScript).…”

Section: Assets Attacks and Defensesmentioning

confidence: 99%

P<inline-formula><tex-math>$^{2}$</tex-math><alternatives> <inline-graphic xlink:type="simple" xlink:href="holm-ieq1-2382574.gif"/></alternatives></inline-formula>CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language

Holm

Shahzad

Buschle

et al. 2015

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

This paper presents the Predictive, Probabilistic Cyber Security Modeling Language (P 2 CySeMoL), an attack graph tool that can be used to estimate the cyber security of enterprise architectures. P 2 CySeMoL includes theory on how attacks and defenses relate quantitatively; thus, users must only model their assets and how these are connected in order to enable calculations. The performance of P 2 CySeMoL enables quick calculations of large object models. It has been validated on both a component level and a system level using literature, domain experts, surveys, observations, experiments and case studies.

show abstract