There have been reports such as ‘there is high rate of web application vulnerability’ as well as a range of ways in which web hackers attack web applications. Since the discovery that web applications convey the best content to users, there have been attempts to determine ways in which these systems can be hacked into through defacing, damage and defrauding. As the culture of conveying information across the internet continues to gain ground, there are increasing cases of vulnerabilities of these sites to cyber criminals.
1. 1. Introduction
There have been reports such as ‘there is high rate of web application vulnerability’ as well as a range of
ways in which web hackers attack web applications. Since the discovery that web applications convey
the best content to users, there have been attempts to determine ways in which these systems can be
hacked into through defacing, damage and defrauding. As the culture of conveying information across
the internet continues to gain ground, there are increasing cases of vulnerabilities of these sites to cyber
criminals.
It has also been found that a large number of businesses use web sites to deliver messages to their
customers , communicate with their customers as well as sell products to them. They may also need to
sell certain technologies that are designed to handle various types of functions of a web site. The use of
content management systems such as Joomla and Drupal may find itself helpful in building strong web
sites with products or services and related content. When businesses want to process blogs, applications
such as Word press or forums functioning on the principle of phpBB that utilizes user generated
information from the web assessors to allow customers communicate through comments and
discussions. Other web applications such as magneto are frequently used in e-commerce by both large
and small scale businesses that carry out their transactions directly on the web. There are also a number
of proprietary applications that are used by web sites and this calls for making web applications a top
priority for both small site as well as big site owners.
There is also need to analyze the competence of web application software by carrying an online test
development, administration and grading process which enables web site to carry out online tests of
their web application software so that its functionality and reliability can be known. It also involves
development of websites to incorporate more information such as news, papers and interface that
allows adding and deletion of papers. It can also be use to know the competencies that exist in a web
application. It is also used to show the mastery of the web site owner of some of the competencies in
the domains of leadership, communication strength and reasoning and the ability to solve problems
effectively. On the basis of Information technology IT, the domains in which competencies may be
determined include software, networks, IT Management, security or databases.
This paper explains the procedure of using capstone matrix to determine the competency of a web
application and also recommend the precautions that are need to ensure that a web application is not
hacked into by authorized users.
This paper also tries to explain on how hack-resilient applications can be built. This is an application that
meets certain requirements of the capstone matrix by reducing the possibility of attack and ensures that
damage does not occur. This is an application that is found in the host server in a network that has been
2. developed using design and procedures that cannot be hacked as well. This paper explains that there is
need to secure an application by making sure that input is validated, authenticated, authorized and data
is made sensitive. By using capstone competency matrix, it shows the competency of the application and
the likelihood of its being hacked into by unauthorized users. This allows for remedial actions such as
securing the network, securing the host and also securing the application.
The results of the capstone matrix are also important in determining the level of security in the threes
physical tiers i.e. web server, remote application server and database server. The use of competence
matrix gives the information regarding security information that that are found in the host network and
the level of application vulnerabilities that can be used to structure application arrangements for
security purposes.
I. Literature review
As the number of web applications used increases, so are the number of security risks associated with
them. Currently web application security is a concern everywhere and there is need to determine how
competent a web application is towards certain threats such as hacking and security of information.
There are a number of technical and business applications of web applications
a. Areas of application of web applications
a) Network and application levels merging
In the older days, vulnerability detection was mainly focused on network or operating system of a
hardware component. These involved the use of traditional manual hacking testing and also automatic
testing using security tools. The trends have currently focused on the need to scan for the competency
of a network as well as the vulnerability of an application. Presently, interest has been focused on
combining the ability of network scanners with tool kits used in web application security space. The
purpose of merging network and application competency analysis is to locate the information found in
one level and use the same approach towards determining the competency of the next level. Another
area that has attracted interest in vulnerability testing is the network management consoles. The
present consoles are geared towards finding network device data such as firewall. Focus is made on
incorporating applications from a number of tools such as firewalls. However, there is no likelihood of
integration taking place in patch management methods. Furthermore, consoles have the ability to
attach patch management solutions to data conveying information regarding the existence of problems.
The challenge is that a number of web applications are proprietary and therefore recognized by only
certain customers and departments within a large organization.
b) QA testing and Developer Awareness
In the olden days, quality assurance teams were not working in partnership with information security
work force, however, there are trends towards a change in this culture. For instance, mercury
interactive, an entity involved in automated testing tools, proposed that they would enter into
partnership with some of the most successful application security testing companies that provide a
reliable solution to mercury’s testing goods and the applications used by to determine vulnerability of
tools.
QA testing is also expected to move from basic testing of functions to compliance testing. These include
compliance with certain federal laws concerning privacy. They could also be used to determine the types
3. of web pages that are not likely to refer to web page privacy information or the web pages that are like
to result into leakage of information in the site of form information. It is also speculated that the
developers are also likely to benefit from the wide range of a web application vulnerability detection
tools that are currently being developed. The purpose of detection tools is to track defective or insecure
lines of information that might be the sources of vulnerabilities. This is speculated to take place during
development tool process such as a writing of a code. A number of vendors have developed tools that
improve code security despite the fact that up to date there have been low sales of these tools.
Furthermore, number of these code scanning tools is not able to provide complete awareness of an
application and focuses on only specific modules of code. This is likely to result into more complex
problems such as between a UI module and database module, scanners have been successful in their
use in the same purpose. It is also speculated that there might be integration with bug detecting
systems to allow developers to only follow the present defect detecting process and make the
corrections regarding vulnerability as a simple defect of function in their code.
c) Attack detection Sophistication Increases
There have been tremendous improvements in development of web application vulnerability detection
technology. Tools have gone beyond the normal buffer overflow attacks and have the detection abilities
that can only be attained by few strings. These tools are mainly geared towards online detection. The
use XSS attack detection methods are currently shifting from the conventional inline string injection
method to a multi-faceted attack and detection process that needs persistence of state. Other areas
that have not been tackled include performance of a large form of information from the web application
and user information that needs to be kept and referenced with accuracy without false information.
For instance, a number of large financial institutions had problems with cross-frame scripting (XSS), and
example of a phishing attack that affects a frame in a web page.
There has also been increasing focus on web services. Despite the slow rates of their adoption by the
masses, a number of users own sites and web applications that are dependent on web services and
require knowing how competent those web services are. For instance, vendors involved in this area used
simple detection methods such as XML based detection and applying common web competency in a non
–xml applications.
b. Some of the threats and counter measures
This part of the article explains some of the treats that are likely to be faced by a network, host or
application layers. It determines how a web application can be regarded as competent enough to
withstand threats that hinder its application
When security features have been incorporated into application design, implementation is helpful in
understanding the manner in which attackers would like to hack into the application.
Designing a secure web application
c. Building secure web applications
d. Assessing your security
II. Rationale and systems Analysis for the Project
In this stage of assessing the competency of web application software, a number of considerations have
been identified. They are explained in this section.
a. Access control
4. The paper explains that there is need to determine a criterion for mandatory data access control and
understanding different factors that can be helpful in implementation of access control and coming up
with a better access control plan. The paper also explains that there is need to implement and manage
access control plan in compliance with principles that control access control systems that are supposed
to be known. It is also important to identify other access control plans such as ID cards and getting
proper knowledge concerning warning banners that are used in implementing access rules.
b. Social engineering, phishing and identity theft
There is also need to understand a number of social engineering concepts and their function in insider
attacks and coming up with better practices that can hinder social engineering. There is also need to
develop plans that prevent phishing attacks.
c. Physical security
It has also been found that there is need to determine the standards, directives, processes and policies
that guarantee the physical safety of web application software. There is also need to value the
importance of the web application software and the impact it is likely to bring.
This paper also indicates that we need to design, apply and manage an organized and coordinated
physical security measures that ensures total safety of web application software. We also need to
determine the objectives that ensure that the personnel in charge of the web applications are also
secure to attain the overall objective of making the entire organization secure. There is also need to
determine a method of determining physical security level so that corrective measures can be put in
place.
d. Risk management
There is need to determine risks and risk management processes and understands the level of allowable
risk to ensure the hacking into the web application system lies within a level that cannot be harmful to
the web site owner. We also need to identify resource requirement for risk management to ensure that
the web application is well managed and the problem of lack of resources is dealt with.
There is also need to determine a systematic risk measuring process on the based on consultation with
IT experts and IT risk management processes that comply with the standards and procedures to ensure
the organizational goals and objectives are pursued. In order to ensure total avoidance of risks, we need
to know the level of relationship between incidence response group and other groups both within the
organization and outside the organization such as between the legal department and law enforcement
agencies as well as public relations officers.
We also need to identify the areas where risks to our web application system are likely to come from
and continuously update our web application security settings. We also need to determine policies that
guide risk management and update risk management programs according to the likelihood of threats in
the environment and also according to the goals and objectives of the organization.