Security risk assessment of Geospatial Weather ...

International Journal of Computer Information Systems, Vol. 1, No. 3 October 2010.

Security risk assessment of Geospatial Weather Information System (GWIS) using integrated CVSS approach K. Ram Mohan Rao Geoinformatics Division, Indian Institute of Remote Sensing, Dehradun, Uttarakhand, India [email protected] repositories. However these numbers clearly states that the number is gradually increasing from year to year, even with the added security feature technology in web application development tools.

Abstract—Geospatial Weather Information System (GWIS) is a web based tool for capturing, storing, retrieving and visualization of the weather climatic data. Study has been carried out for assessing security integrity of GWIS and its application vulnerabilities such as blind SQL injection, unencrypted login request, in-adequate account logout etc., verifying the discoveries, and document the verified discoveries in a standard template using a black box testing tools. In this paper we implement our proposed integrated Common Vulnerability Scoring System (CVSS) approach for security integrity assessment of GWIS. The study led to quantifying different levels of risk for GWIS using CVSS approach by taking several factors such as asset information based on their importance in business, likely threats to these assets, associated vulnerabilities (both technical and non-technical), severity levels of the vulnerability, business impact factors such as company reputation.

90

Number of incidents

80 70 60 50 40 30 20 10 0 1999 2000

2001

2002 2003

2004 2005

2006

2007 2008

Year

Figure 1. Web hacking statistics incidents

Keywords- black box testing; web application security; blind SQL injection

The trends in hacking techniques are developed according to the usage level of particular technologies at the time [2]. As a consequence web applications and web servers are becoming popular attack targets.

I. INTRODUCTION There has been tremendous success of World Wide Web (WWW). Today most of the applications are developed using web technologies in different areas viz., banking, ecommerce, education, government, entertainment, webmail and training. Many companies are depending on their web sites for the publicity and business and some of the companies came into business like online shopping through the possibilities of WWW only. Many of customers also find convenient to get benefit from these services of web application rather than conventional or manual methods. The technology of web also enormously developed with modern technologies to build more reliable and cost effective web applications. The technology is now in a position to cope up with various issues like interoperability, multiple platforms and to connect with different database technologies.

II. SECURITY CHALLENGES Web applications are increasingly becoming high value target for attackers. 71% of the reported application vulnerabilities have affected the web technologies such as web servers, application servers and web browsers [3]. In 2007, a survey was conducted by the Cenzic and Executive alliance on the state of web application security level [4]. Some of the interesting key findings are:  

Despite the importance of web applications with improved technologies, hacking techniques also gained momentum in cashing the vulnerabilities of the applications. Web Application Security Consortium [1] gave report on web hacking statistics. These reports were only media recorded security incidents that can be associated with web application security vulnerability as shown in figure 1 (Year 2008 statistics are considered up to March only). As a result, the number may be smaller than any other hacking



  24

There is lack of confidence in the current state of web application security. Around 50% of the people are not confident about their application security, although most of them are happy about their application technology. 83% of the CEOs are aware of the web security, but most of them and other senior management are not sure about the financial implications of the unsecured web applications. Data breach cited as highest priority security risk in 2007. Only 10.17% claim their ability in testing the web application is up to the mark.




points that can put database at risk. Hackers generally look into the different fundamental areas of application to break the security. The general types of attacks are IP access, port access, and application access. Hackers get the IP address of the server and do the telnet to exploit the server. Applications are normally configured to listen on a predefined port for incoming requests. These vulnerable ports are also major sources for the attacks on the application. Web applications include the series of web servers, file servers and database servers etc. Each of these servers attracts potential point of entry to break the application security. But there are so many other areas where the application is vulnerable to the attacks. The major challenges associated with the web application are their most critical vulnerabilities that are of often the results of insecure information flow, failure of encryption, database vulnerabilities etc [10]. There are two types of application vulnerabilities. They are inherent in web application codes, and independent of the technologies in which they are deployed [11]. Attacker may exploit these vulnerabilities at anytime. The detailed classes of attack types are shown in figure 2 for the year 2007.

Around 55% say security awareness training is priority.

The above findings evidently show that, organizations are still not matured enough to take care of the application security issues against the ever growing threats. Therefore, it becomes imperative than ever to assess the web application security concerns. In the past, organization relied more on gateway defenses, Secure Socket Layer (SSL), network and host security to keep the data secured. Unfortunately, majority of the web attacks are application attacks and the mentioned technologies are generally unable to cope up with the security needs against the application attacks [5]. The gateway firewall and antivirus programs though offer protection at network and host level, but not at the application level [6]. Firewall may not detect malicious input sent to a GIS distributed application. Indeed, firewalls are great at blocking ports, of course, some firewall applications examine communications and can provide very advanced indication still. Typical firewall helps to restrict traffic to HTTP, but the HTTP traffic can contain commands that exploit application vulnerabilities. Firewalls are only an integral part of security, but they are not a complete solution [7]. The same holds true for Secure Socket Layer (SSL), which is good at encrypting traffic over the network. However, it does not validate the application’s input or protect from a poorly defined port policy. However, when the network and host entries are secure, the public interfaces of the application become the focus of the attack. The Software Unlimited Organization [8] listed the top 10 firewall limitations as :  Firewall can’t protect against attacks that don’t go through the firewall.  Can’t tell if it has been incorrectly configured.  Not all firewalls offer full protection against computer viruses.  Not replacement for strong security policy and procedural manual.  Firewall can’t tell if there are vulnerabilities that might allow a hacker access to internal network. Web servers are becoming popular attack targets. Between 1998 and 2000, around 50 new attacks exploit the Microsoft’s widely utilized web server Internet Information Server [9]. Of these attacks 55% allowed an intruder to read sensitive information such as ASP source files, configuration files and finally the data records as well. These growing numbers of attacks target the databases which reside behind the web server. By exploiting the vulnerabilities in the web server it is possible to run SQL commands for gaining the access of database server. Hence protecting the web server is becoming huge concern in the web application security domain.

Figure 2. Incidents by threat classification [12]

Over the past ten years hackers were creating virus code for just mischief. Now the attackers were more organized, and they are not attacking for the pride or ego, but they are targeting for the money and property [13]. Therefore, security is becoming the critical component in the web application development and deployment. Gartner, 2007 says that 75% of cyber attacks and Internet security violations are generated through internet applications. Cenzic (2008) reported web application vulnerabilities for the four quarters of the year 2007 were 1046, 1069, 1001, and 997 respectively. The year 2007 witnessed number of new types for exploiting web application vulnerabilities. Around 70% of the total web vulnerabilities are web application vulnerabilities [14]. IV. APPLICATION SECURITY ASSESSMENT Web application security assessment is a crucial part in the application development cycle. The distributed nature of web and application architecture creates difficulties in analyzing the application [15]. The Rapid Application Development (RAD) process makes the application extremely short and makes it difficult to eliminate the vulnerabilities. In the process most of the applications are

III. WEB APPLICATION SECURITY CONCERNS Web application must be secured in depth, because they are dependent on hardware, the operating system, web server, database, scripting language and application code. Because of these reasons web applications have numerous entry

25


quantifying the risk [17]. The outcome of the risk model prioritizes with the list of vulnerabilities that could harm the application. This priority list is useful for the developers and administrators to secure the application with remedial procedures. The outcome of risk model is a detailed document for making the application hackresilient one both at design level and implementation level.

becoming vulnerable to attack. Although organizations have many traditional precautions in their networks such as firewalls, they are no longer sufficient to protect the application across the internet. Firewalls alone can’t protect the application from the external threat, but firewalls are integral part of the network security. To withstand web applications against the evolving threat techniques, organizations must assess their web applications so that they understand the risk they are dealing with. For example, agency providing data access to their users via the web application must test the web application and calculate or rate the risk. This approach provides, to understand the vulnerabilities associated with the application. Most of the cases this can be achieved by scanning the sites with legacy tools which will detect the number of vulnerabilities present in the site. This will give the opportunity to rectify the coding techniques to eliminate the vulnerabilities.

VI. INTEGRATED CVSS MODEL The Common Vulnerability Scoring System (CVSS) risk rating model is an integrated approach for calculating and rating the risk associated with the application. It is a universal language to convey vulnerability severity, and help to determine urgency and priority of response. It is an integrated approach of three distinct groups. These groups are,

Knowing the vulnerabilities alone will not help the management to improve the security of the application. Rating the risk of the application by considering the different factors associated with application will give more clarity and edge to secure the application in a better way. By following this approach, organization can estimate the severity of the application and make an informed decision about the risk. Also the risk factor will also prioritize the issues in the application in a better way than the random approach.

I. II. III.

Base metric group Temporal metric group Environmental metric group

Each of these groups clusters together related qualities that capture certain characteristics of vulnerability. Each of these qualities or "metrics" has a specific way of being measured and each group has a unique formula for combining and weighing each metric. Base metric represents the intrinsic and fundamental characteristics of vulnerability that are constant over time and user environments. It counts the characteristics of vulnerability that are constant with time across user environments. The components include access vector, access complexity, and authentication metrics capture how the vulnerability is accessed, or exploited, the complexity of attack, the number of times an attacker must authenticate to a target in order to exploit vulnerability, and whether or not extra conditions are required to exploit it. It also considers the impact values, if the vulnerability is successfully exploited. The impact metric covers the confidentiality impact, integrity impact and availability impact. Temporal metric represents the characteristics of vulnerability that change over time but not among user environments. This metric is the key component in the application assessment, because exploit techniques will change from time to time. The temporal metric measures the current state of exploit techniques or code availability or patch availability. It also considers the remediation level, such as official patch fix or temporary fix, and availability factors. Temporal metric also covers the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. All these parameters result to the final status of the application temporal metric.

V. RISK MODELING METHODOLOGY Risk assessment is very complex process for a distributed application environment. Web application consists of application programs across the network with standard database conection, web server and application server. Amongst these integrated technologies there is always a possibility of exposing the security gaps between presentation logic, business logic and data access logic components. Therefore risk assessment is very much essential process for this distributed application for knowing the risk they are dealing with. Risk assessment is a software testing process with set of procedures, testing techniques to find out the vulnerabilities of the application, and database etc. and modeling these vulnerabilities with a predefined risk models. The outcome of any model is the quantification of the risk that is dealt by an application. There are many risk assessment models for the web application risk modeling. They are OWASP, CENZIC, CVSS, DREAD, OCTAVE, NIST, NISA, ISO 1799 or 27001 for addressing the risk they are dealing with [16]. All these models based on a uniform algorithm and quantify the risk of the application in its own metric. Some models rate the risk in the scale of 1-10, and some other models quantify the risk under low, medium or high levels. However, the algorithm starts with the identification of organizational assets and their vulnerabilities. These vulnerabilities are found by a test of automated tools that are available in the industry. The next process is assigning the weightages to the individual vulnerability based on the model description for

Environmental metric represents the characteristics of vulnerability that is relevant and unique to a particular user’s environment. It captures the characteristics of vulnerability that are associated with a user environment. But most of the times these environmental factors will not 26


have any effect on the final score. It considers the potential for loss of life or physical assets damage, theft of property or equipment. In addition to collateral damage potential, the model also takes target distribution and security requirements in to consideration. The details metric components of the CVSS approach is given in table 1. BaseScore

=

round_to_1_decimal (((0.6 *Impact) + (0.4 * Exploitability) – 1.5) *f(Impact))…..(1) Where Impact = 10.41 * (1-(1-ConfImpact)*(1-IntegImpact) * (1-AvailImpact)) Exploitability = 20 * AccessVector *AccessComplexity * Authentication

TemporalScore

= round_to_1_decimal (BaseScore*Exploitability* RemediationLevel*ReportConfidence)….(2)

EnvironmentalScore = round_to_1_decimal ((AdjustedTemporal+(10-AdjustedTemporal) * collateralDamagePotential) * TargetDistribution)……… (3) Where AdjustedTemporal = TemporalScore recomputed with the BaseScore’s Impact subequation replaced with the AdjustedImpact equation AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq) *(1-AvailImpact*AvailReq))) TABLE I. CVSS METRIC GROUPS

Metric Group Base

Temporal

Environmental

Components Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact(C) Integrity Impact (I) Availability Impact (A) Exploitability (E) Remediation Level (RL) Report Confidence (RC) Collateral Damage Potential (CDP) Target Distribution (TD) Confidentiality Requirement (CR) Integrity Requirement(IR) Availability Requirement (AR)

Figure 4. CVSS metrics and equations [18]

Base metric group captures the static characteristics of the vulnerabilities that do not change over the time. In the other hand, temporal metrics captures the dynamic characteristics of vulnerabilities those change over the time. The environmental metrics group captures characteristics of vulnerabilities that are tied to implementation and environment. Therefore, CVSS follows a holistic approach that evaluates the total characteristics of the vulnerabilities for accurate effect on the application.

Now, the final Base, Temporal, Environmental vectors are calculated with the above equations 1,2 and 3. Therefore CVSS works with metrics and corresponding equations to calculate the risk outcome of application as shown in figure 4.

VII.

GEOSPATIAL WEATHER INFORMATION SYSTEM (GWIS)

Geospatial Weather Information System (GWIS) is a web based tool for capturing, storing, retrieving and visualization of the weather climatic data. The GWIS contains historical climatic data for nearly hundreds of land stations country wide. The database is provided with both climatic daily and monthly data. Daily data has been nearly for 150 ground stations country wide and covering temperature, rainfall, humidity details. The 27


that automates the process of web application security testing, and finally result the vulnerabilities present in the application. The tools analyses any web application or site and scans them for exploitable vulnerabilities such as blind SQL injection, cross site scripting, and directory traversal, etc. There are several free and open source projects in the category of web application assessment tools, such as Burp proxy, Grabber, Penetra, Paros, SPIKE Proxy, WebScarab, Wapiti, and W3AF. Commercial assessment tools includes the list of AppScan, Webinspect, BiDiBLAH, Cenzic, Acunetix , NESSUS, Wikto, Nikto, etc. In general all these automated tools generates following feature set at high level:  Vulnerability discovery and listing  Automated auditing as well as manual auditing capabilities  Extensive view options  Extensive reporting options  Exposed APIs  Remediation recommendations

climatic monthly data has for wide range of land stations around 3000 countrywide. Daily data is being captured from different sources after then arranged in GWIS format for storing in the database. The source for monthly data is Global Historical Climatology Network (GHCN). It is used operationally by National Climatic Data Centre (NCDC) to monitor long-term trends in temperature and precipitation. The mission of GWIS is to integrate the weather related information from different available sources and organize the data in structured GWIS format. The application tool is designed to cater the research needs of various application scientists working on different themes.

VIII. CVSS FOR GWIS CVSS model works with the principle by measuring the metrics for all vulnerabilities present in the system. In the process, detecting the vulnerabilities in the application is a key point for the application security assessment.

Identifying vulnerabilities across the site is a major endeavor. Today’s enterprise consists of several system servers, application servers, database servers via several networking circuits with varying speeds. The point is, it is not possible to simply install network or system scanners and scan the total application. This is because, it is not possible to get the required coverage with in the desired time frame with a single scanner. For this reason we cannot simply stop the assessment, knowing that the site consists of 70 percent network vulnerabilities that have not been remediated. Enterprise level assessments are still required. Instead of simply dropping scanners onto network, the process should leverage organizations vulnerability management, its investment in security, patch, and configuration management technologies. Vulnerability scanners are responsible for detecting network hosts, discovering available applications, and ascertaining vulnerabilities.

A. Finding out vulnerabilities Because of the multiple technologies involved in the web application, it’s very difficult to discover the vulnerabilities present in the site. For this, tester has to run battery of tests and use various strategic techniques to discover the vulnerabilities. This process includes,  Discovering any existing vulnerabilities  Verify the discoveries  Document the verified discoveries in a standard template. Manual testing is a cumbersome method and almost a difficult task for discovering the application flaws. Discovering vulnerabilities present in the application often needs a strong testing tool for scanning the web site. Recently, automated security testing tools are developed for scanning the total application with easy to use interface. Such projects are WebSSARI (Web Application Security Analysis and Runtime Inspection) for testing vulnerabilities in PHP code [19]. Such white box testing techniques fail to adequately consider the runtime behavior of web applications. The main reason for this is, the web application is a combination of presentation layer, application layer and database layer. In other words, white box testing techniques will not give appreciated results to discover the vulnerabilities because their inability in handling user input through the interfaces (GUIs). There is other approach for finding vulnerabilities of web application, a black box testing technique. Huang et al, (2005) presented a web application security scanner (WAVES)- an automated software testing platform for the remote, black box testing [20]. Barton et al, (2000) presented a web application security assessment framework based on a security scoring vector [21].

TABLE II. VULNERABILITIES BY PATTERN

No 1 2 3 4 5 6

7 8 9

Today there are several open source and proprietary automated tools, works on a black box testing framework 28

Vulnerability Patterns Blind SQL Injection Login page SQL Injection Unencrypted login request Application Error Inadequate account lockout Permanent cookie contains sensitive session information Session information not updated Unencrypted password parameter Unencrypted viewstate parameter

Number of Instances 2 2 1 1 1 1

1 3 7


TABLE III. BASE METRIC PARAMETERS OF GWIS

Vulnerability softwares generally run on network devices or on a company own application assets. For this type of application assessment, single type of vulnerability scanner is sufficient for scanning the application. However, larger sites may require multiple vulnerability scanners to support the assessment needs. The reason is the specific tools are effective in some of the areas and may not be good at other functional areas. For this reason, the GWIS application has been scanned with multiple scanners namely AppScan, CENZIC, and Nessus tools. The consolidated list of vulnerabilities observed is shown in table 2. After discovering the vulnerabilities after a systematic scanning as mentioned above, verification has to be done with proper documentation using a standard template. B. Experimental results The GWIS has been scanned thoroughly for the vulnerabilities across the presentation, business, and database layers of GWIS. Nine vulnerability patterns are found including total 20 instances. The Base, Temporal, environmental metric scores are calculated against each vulnerability of the application. The objective of base metric group is to estimate base score related to any given vulnerability that do not change over time or in different environments. The access vector, access complexity, and authentication metrics capture how the vulnerability is accessed, or exploited, the complexity of attack, the number of times an attacker must authenticate to a target in order to exploit vulnerability, and whether or not extra conditions are required to exploit it. The base scores are calculated against the vulnerabilities present in the GWIS (table 3). Because the vulnerabilities can be exploited remotely, the access vector for vulnerability is remote and hence the score is maximum. Blind SQL injection, unencrypted login request etc. are difficult to discover, but the ease of exploit is maximum. Therefore, these vulnerabilities are easy to exploit and the overall access complexity is high. The GWIS system require authentication for the data access. Attacker without valid credentials is difficult to access GWIS in order to exploit the vulnerability. The objective of information security systems is to protect confidentiality, integrity, availability [22]. The confidentiality metric measures the impact on confidentiality of a successful exploit of the vulnerability present in GWIS. The confidentiality score is none or partial, as the access information is disclosed to only authorize users. However, there is a considerable information disclosure if the critical resource such as database is compromised. Loss of integrity is also partial or none on the application. Since the application protects the data from authorized modification, the overall integrity impact is nominal. Loss of availability is also almost nil on a successful exploit of the vulnerability. The blind SQL injection and login page SQL injection will have partial impact on the availability, but the other vulnerabilities will have no impact on the availability of the application.

Vulnerability

AV

AC

Au

C

I

A

Blind SQL Injection Login page SQL Injection Unencrypted login request Application Error Inadequate account lockout Permanent cookie contains sensitive session information Session information not updated Unencrypted password parameter Unencrypted view state parameter

1.0

0.35

0.45

0.275

0.275

0.275

1.0

0.35

0.45

0.275

0.275

0.275

1.0

0.61

0.45

0.275

0.275

0.275

1.0

0.61

0.45

0.0

0.0

0.0

1.0

0.71

0.56

0.0

0.0

0.0

1.0

0.61

0.45

0.0

0.0

0.0

1.0

0.71

0.45

0.0

0.0

0.0

1.0

0.71

0.45

0.0

0.0

0.0

1.0

0.71

0.45

0.0

0.0

0.0

Temporal metric is a rough estimate of how likely particular vulnerability is uncovered and the same is exploited by the attacker. There are three major components in estimating the chances for a successful attack namely exploitability, remediation level and report confidence. Since there is a proof of concept for the SQL injection, the attacker should be skilled enough to exploit SQL injection, the exploitation score is 0.9. For vulnerabilities such as unencrypted login request and application error the scores are 0.95 as the functional code for the exploit technique is available. However, rest of the vulnerabilities, the exploitation score get 1.0 because of high exploitation chances. The reason is that, these application flaws or more vulnerable, publication of code is available and motivation skills are minimum. The remediation levels attract 0.9 for SQL injection because the temporary fixes are available to work on with the total fixation of the problem. For rest of the vulnerabilities official fixation patches are available. Since the report confidence type is uncorroborated, the score is 0.95 for first two vulnerabilities. For other vulnerabilities the report confidence score is 1.0 because the application vendor has been acknowledge the existence of the vulnerability with a subsequent patch as well. Table 4 shows the details of temporal parameters. TABLE IV.TEMPORAL METRIC PARAMETERS OF GWIS

29

Vulnerability

E

RL

RC

Blind SQL Injection (

0.9

0.90

0.95

Login page SQL Injection Unencrypted login request Application Error

0.9

0.90

0.95

0.95

0.87

1.0

0.95

0.87

1.0

Inadequate account

1.0

0.87

1.0


lockout Permanent cookie contains sensitive session information Session information not updated Unencrypted password parameter Unencrypted view state parameter

1.0

0.87

1.0

1.0

0.87

1.0

1.0

0.87

1.0

1.0

0.87

1.0

login request Application Error Inadequate account lockout Permanent cookie contains sensitive session information Session information not updated Unencrypted password parameter Unencrypted view state parameter

The ultimate objective of risk assessment is to quantify the impact of business, if the vulnerabilities are being exploited by the attacker. Sometimes it is also known as business impact which plays major role in calculating the overall risk rating process. The environmental scoring metric captures characteristics of vulnerabilities that are tied to implementation and environment. For example, GWIS is an application indented to disseminate the weather related data to the given users through the application.

Vulnerability

CDP

TD

CR

1.0

1.0

0.50

1.0

0.50

1.0

1.0

0.50

1.0

0.50

1.0

0.50

1.0

0.50

1.0

IR

1.0 1.0

0.50 0.50

1.0 1.0

0.50 0.50

1.0

1.0

0.50

1.0

0.50

1.0

1.0

0.50

1.0

0.50

1.0

1.0

0.50

1.0

0.50

1.0

1.0

0.50

1.0

0.50

Here the main business assets are weather repository, related financial transactions and metadata sets. CVSS considers five environmental variables to assess the business impact of the application based on different application deployment or business environments.

TABLE V. ENVIRONMENTAL METRIC OF PARAMETERS OF GWIS

Blind SQL Injection Login page SQL Injection Unencrypted

1.0 1.0

The collateral damage potential and target distribution variables receive the environmental score between 0.0 (None) and 9.2 (High) as availability is more important than usual for the targeted systems. Table 5 lists the environmental parameters for GWIS.

AR

The final Base, Temporal, Environmental vectors for the GWIS are: Impact = 10.41*(1-(1-0.275)*(1-0.275)*(1-0.275)) == 9.791 Exploitability = 20*1.0*0.596*0.4622 == 5.5094 f(Impact) = 1.176 BaseScore = (0.6*9.791 + 0.4*5.5094 – 1.5)*1.176 ==7.7 TemporalScore=round(7.7 * 0.9666 * 0.8766 * 0.9888) == (6.6) AdjustedImpact = min(10,10.41*(1-(1-0.275*0.50)*( 1-0.275*1.0) *(1-0.275*0.50)) == (10.0) AdjustedBase =((0.6*10)+( 0.4*5.5094 – 1.5)*1.176 == (10.0) AdjustedTemporal == (10*0.9666 * 0.8766 * 0.9888) == (8.3) EnvironmentalScore = round ((8.3+(10-8.3)*1.0*1.0) == (0.00 – 10.0) which takes into account the likelihood and difficulty of exploitation and the business use and importance of the GWIS asset.

Therefore, the risk posed by these vulnerabilities is calculated under base, temporal and environmental factors. The overall security of the application always depends on the total security of the system. The base score of GWIS is 7.7 in the scale of 1-10. Therefore the severity of the application is medium to high. Temporal score of GWIS is 6.6 which represent the urgency of introduction of mitigating factors to reduce the vulnerability scores. The environmental score is 10.0 which is a final score with the base and temporal inputs. Since environmental score is high, GWIS will use this input to immediately prioritize the responses in the deployment environment. To minimize the risk levels of the GWIS, it is crucial to fix the most sever risk generating vulnerabilities first such as, blind SQL injection and login page SQL injection vulnerabilities in GWIS. Similarly the other vulnerabilities also should be fixed to further reduce the risk as per the priority list given in table 6. Remediation priority should be based on the criticality of the vulnerability,

Figure 4. CVSS metrics score

The GWIS application has different types of vulnerabilities. Total 20 vulnerability instances ARE 30


REFERENCES

found in GWIS application. The URLs of the application home page, registration page, login page, data selection form, monthly temperature, and station information consists of vulnerabilities are reviewed, and the corresponding remediation tasks are addressed.

[1]

[2]

TABLE VI. VULNERABILITY REMEDIATION PRIORITY Vulnerability

Risk

Resource Requirmen t

Effort to exploit

Blind SQL Injection

High

Low

Medium

Login page SQL Injection Unencrypted login request Application Error

High

High

Medium

Medium

Low

High

Low

High

Low

Low

Low

Medium

Low

High

Low

Low

High

Low

Low

High

Low

Informati

High

Medium

Inadequate account lockout Permanent cookie contains sensitive session information Session information not updated Unencrypted password parameter Unencrypted view state parameter

[3]

[4]

Cenzic, The voice of IT leadership on Web security, Findings of survey conducted by CENZIC and Executive alliance, October 2008,Whitepaper. Accessed from http://www.Cenzic.com on 12.07.2006.

[5]

IBM, Web application security management, Understanding the web application security, 2008, Whitepaper. Accessed from http://www.ibm.com, on 12 .07 . 2006.

[6]

M Curphey, D Endler, W Hau, S Taylor, T Smith, A Russel, M McKenna, R parke, K McLaughlin, N Tranter, A Klien, D Groves,By-Gad I, S Huseby, M Eizner, R Mcnamara, , A guide to building secure web applications, The open security web application project, V.1.1.1,2002. Whitepaper, Available from http://www.first.org/cvss/cvss-guide.html Accessed on 12.04.2007. JD Meier , A Mackman, S Vasireddy, M Dunner, S Escamilla, A Murukan, Improving web application security : Threats and Countermeasures. Microsoft Corporation, 2003,pp.3. SoftwareUnlimited, Firewall Limitations, Irvine, CA. 2005.Whitepaper. Accessed fromhttp://www.softwareunlimited.com/securityfirewallt op10.htm. Accessed on 06.20.2005.

[7]

onal [8]

IX. CONCLUSIONS Application security is the use of software, hardware, and procedural methods to protect applications from external and internal threats. Security measures built in to applications and sound application security procedures minimize the likelihood that hackers will be able to manipulate application. Actions taken to ensure application security are sometimes called as countermeasures. These include firewall, router, encryption/decryption, anti-virus programs, spyware detection/removal programs, biometric authentication systems, and assessment procedures.

[9]

SANS Security essentials, Understanding the IIS vulnerabilities: fix them, SANS Institute, 2001, Whitepaper. Accessed from http://www.sans.org/training/category.php?c=SEC, Accessed on 06.20.2005.

[10]

F Ricca and P Tonella, Web site analysis: `structure and evolution, in: proceedings of the IEEE international Conference on Software maintenance, San Jose, California. 2000.

[11]

D Scott and R Sharp, Developing secure web applications, IEEE internet Computing, vol.6. 2002. WASC, Web Application Security Consortium: Threat Classification, 2004.Whitepaper. Available from http://www.webappsec.org/projects/threat K Mandeep, Cenzic Application Security Trends Report 2007, Cenzic Inc, 2007. Whitepaper. Accessed from http://www.Cenzic.com.

[12]

Application security can be enhanced by rigorously defining enterprise assets, identifying what each application does with respect to these assets, creating a security profile for application, identifying and prioritizing potential threats, and documenting adverse events and the action taken in each case. This process is called as threat risk modeling. The results of the research provide the security assessment of GWIS application, identifying weaknesses and recommending security improvements. In the process, the study presented threat risk modeling, standard vulnerability management by calculating the risk associated with the GWIS, by giving common remediation initiatives. The study led to quantifying different levels of risk for GWIS by using CVSS model.

[13]

[14]

[15]

[16]

[17]

31

WASC, Web Application Security Consortium, Web Hacking Statistics,2008. Accessed from http://www.webappsec.org/projects/whid/statistics.shtml on 14.06.2007. F Ian, Protecting The Web Server And Applications, Computer & Security, Volume 20, Issue 1, 2001, pp. 3135. K Mandeep, Cenzic Application Security Trends Report Q4, 2007, Cenzic Inc. Whitepaper, 2008. Accessed from http://www.Cenzic.com on 12.02.2008.

WN Mills, L Krueger, W Chiu, N Halim, JL Hellerstein, MS Squillante, , Metrics for performance turning of web based application, CMG journal the association of system performance professionals.Vol 12. No.7, 2007. Segal O, 2006, Methodologies & tools for web application security assessment, Watchfire Whitepaper. Accessed from http://www.blog.watchfire.com, Accessed on 22.03.2008. K. Ram Mohan Rao, D. Pant, ,“A Multimodel approach for threat risk modeling of web based applications, International Conference on Information & Communication Technology, Managing Worldwide Operations and Communications with Information Technology at Dehradun July 26-28,2007. K. Ram Mohan Rao, Durgesh Pant., 2010. Security risk assessment of Geospatial Weather Information System (GWIS) : An OWASP based approach. International


[18]

[19]

[20]

[21]

[22]

Journal of Computer Science and Information Security, Vol.8 No.5 pp. 208-218. S Mike.2005, A Complete Guide to The Common Vulnerability Scoring System (CVSS), Whitepaper.Accessed from http://wwweurope.cisco.com/web/about/security/security_services/ci ag/research/CRP_common_vunerability_scoring_system. html. J Joshi, W Aref, A Ghafoor, E Spafford, 2001, Security models for Web based applications, Communications of the ACM 44(2). pp 38-44. YW Huang, Fang Yu, Tsai C H, Lin T P, Huang S K, Lee D T, Kuo S Y, 2005, A testing framework for web application security assessment,”, Computer Networks 48(2005) pp.739-761. RR Barton, WJ Hery, P Liu, 2001, An S Vector for web application security assessment. Available from http://209.85.175.104/search?q=cache:3nAQ2kKly0IJ:w ww.smeal.psu.edu/cdt/ebrcpubs/res_papers/2004_01.pdf +s+vector+%2B+threat+classificaiton&hl=en&ct=clnk& cd=1&gl=in. Accessed on 13.08.2008. F. Ricca, P Tonella, ID Baxter, 2001, Restructuring Web applications, in:Proceedings of the 23rd IEEE International Conference on Software Engineering, Toronto, Ontario, Canada.

Dr. K. Ram Mohan Rao received his Ph.D degree in Computer Science from the Kumaun University, Nainital, India. He is currently a Scientist at Geoinformatics Division, Indian Institute of Remote Sensing (NRSC), Dehradun, India. His field of expertise is Computer Sceince and Geoinformatics. His research area include Spatial Databases, Internet GIS, data handling in distributed GIS environment, Location Based Services, and Risk modelling of web applications. He published number of research papers in professional journals.

32