Relationship between Attack Surface and Vulnerability Density: A Case Study on Apache HTTP Server
نویسندگان
چکیده
Software Security metrics are quantitative measures related to a software system’s level of trustworthiness. They can be used to aid in resource allocation, program planning, risk assessment, and product and service selection. Recently researchers have proposed several software security metrics. Among these are attack surface and vulnerability density. The attack surface measure has been used by a few major software companies, such as Microsoft, Hewlett-Packard, and SAP. The vulnerability density measure has been applied by some researchers to Windows and Linux family of operating systems, in addition to some web servers and browsers. Despite their promise, establishing the validity of software security metrics remains a key challenge. A single security metric may be unable to measure all aspects of security and hence the use of multiple metrics may be needed in some situations. To assess the applicability of the metrics quantifying individual as well as multiple aspects of security, we explore the relationship between the attack surface and vulnerability density metrics. For this examination, the source code and vulnerabilities data of two releases of Apache HTTP Server have been examined. While the results show that the attack surface and vulnerability density are related, further investigations are needed to develop methods that combine them.
منابع مشابه
تشخیص ناهنجاری روی وب از طریق ایجاد پروفایل کاربرد دسترسی
Due to increasing in cyber-attacks, the need for web servers attack detection technique has drawn attentions today. Unfortunately, many available security solutions are inefficient in identifying web-based attacks. The main aim of this study is to detect abnormal web navigations based on web usage profiles. In this paper, comparing scrolling behavior of a normal user with an attacker, and simu...
متن کاملA Web Interface for Nessus Network Security Scanner
A fully functional web interface (NessusWeb) for the Nessus network security scanner has been developed. NessusWeb provides public accessibility for authorized users and supports SSL communication, multiple sessions and centralized scan configurations and management of scan reports. It was created using a multi-tier distributed architecture. The client tier is a web browser. The Apache Secure W...
متن کاملPerformance Evaluation of New Methods of Automatic Redirection for Load Balancing of Apache Servers Distributed in the Internet
An overloaded web server will lose incoming requests resulting in a “404 error” appearing at a client browser. Front-end application-level switches can redirect requests to less loaded servers. However, there exist no native methods within common web servers to automatically redirect requests for reducing load. We develop and evaluate changes to the open source Apache HTTP server to automatical...
متن کاملSession Fixation - The Forgotten Vulnerability?
The term ‘Session Fixation vulnerability’ subsumes issues inWeb applications that under certain circumstances enable the adversary to perform a session hijacking attack through controlling the victim’s session identifier value. We explore this vulnerability pattern. First, we give an analysis of the root causes and document existing attack vectors. Then we take steps to assess the current attac...
متن کاململزومات امنیتی پیادهسازی IMS SIP سرور امن
IMS (IP Multimedia Subsystem) network is considered as an NGN (Next Generation Network) core networks by ETSI. Decomposition of IMS core network has resulted in a rapid increase of control and signaling message that makes security a required capability for IMS commercialization. The control messages are transmitted using SIP (Session Initiation Protocol) which is an application layer protocol. ...
متن کامل