Présentation iwsm-mensura 2016
-
Upload
hela-loulouette -
Category
Software
-
view
26 -
download
2
Transcript of Présentation iwsm-mensura 2016
![Page 1: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/1.jpg)
Evaluating Security in Web Application DesignUsing Functional and Structural Size Measurements
May 1, 20231 © 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL
Hela Hakim, Asma Sellami, Hanêne Ben-AbdallahHela Hakim, Asma Sellami, Hanêne Ben-Abdallah
FSEG, University of Sfax, TunisiaFSEG, University of Sfax, TunisiaISIMS, University of Sfax, TunisiaISIMS, University of Sfax, TunisiaKing Abdulaziz University, KSAKing Abdulaziz University, KSA
![Page 2: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/2.jpg)
OutlineOutline
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 2
Introduction Background Proposed Approach Illustrative Example: “GeoNetwork” Conclusion & Perspective
![Page 3: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/3.jpg)
IntroductionIntroduction
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 3
Due to the wide spread interconnection of information system within the web, attacks can be waged anonymously and from a safe distance
Many security incidents have been reported, with potentially quite severe consequences
Security becomes an important issue of every software application, and specially security of Web applications
![Page 4: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/4.jpg)
MotivationMotivation
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 4
It is challenging to Early evaluate security (by measuring authenticity sub-characteristics ) at the design phase for developing web application
help software designers/quality engineers to detect risks of authenticity violations
help application owners (end users) to identify the degree of trust in their web applications (in case of an unauthorized access)
classify the risk of the authentication violation at the access control of authenticated users in web application
![Page 5: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/5.jpg)
PProblematicroblematic
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 5
How to evaluate the Security of Web application at early phase of the SDLC ?
How to detect the risk ofviolation of authenticity in web application at the design phase?
it is secure
this web application site?
![Page 6: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/6.jpg)
ObjectivesObjectives
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 6
Evaluating security characteristic in Web application design
Functional Size Measurement of the authenticity (as a sub-characteristic of Security) in terms of CFP units using COSMIC method
Structural Size Measurement of the authenticity sequence diagram using the structural size method
Measurement of the authenticity by combining the Functional and Structural Size measurement
Identifying/Classifying the risk of violation of authenticity in web application
![Page 7: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/7.jpg)
OutlineOutline
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 7
Introduction Background Proposed Approach Illustrative Example: “GeoNetwork” Conclusion & Perspective
![Page 8: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/8.jpg)
COSMIC - ISO 19761COSMIC - ISO 19761
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 8
COSMIC ISO 19761 Functional Measurement size method –V 4.0.1
Allow the quantification of any type of software (business, real-time, embedded,…) from user’s point of view
Independent of any quality or technical criteria Free on the web: http://cosmic-sizing.org/
![Page 9: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/9.jpg)
COSMIC - ISO 19761COSMIC - ISO 19761
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 9
Data moveme
nt = 1CFP
Functional User Requirements
(FUR)
Data movements of a data group between the functional user of the software and a COSMIC functional process allow data exchange with a functional user across a software boundary.
Each data movement is equivalent to 1 CFP. The software
functional size is computed by adding all data movements
identified for every functional process.
Data movements of a data group between the COSMIC functional process and persistent storage allow data exchange with the persistent storage hardware.
![Page 10: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/10.jpg)
Structural Size MethodStructural Size Method
May 1, 202310
The structural size measurement (SSM) is applied on the sequence diagram particularly in combined fragment alt, opt and loop to measure its structural size
![Page 11: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/11.jpg)
Structural Size MethodStructural Size Method
May 1, 202311
Each combined fragments (alt, opt and loop )has its correspondent control flow graph
The SSM of a sequence diagram is equal to the size of these control flow graph (alt, opt and loop combined fragments)
![Page 12: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/12.jpg)
Structural Size MethodStructural Size Method
May 1, 2023© Multimedia, InfoRmation Systems and Advanced Computing Laboratory - MIRACL 12
The use of SSM requires the identification of two types of data manipulation depending on the structure type in which it is defined Data manipulation represented in the flow graph of conditional
control structure (alt, opt combined fragments) Data manipulation represented in the flow graph of the
iterative control structure (loop combined fragment)
Each data manipulation is equivalent to 1 CSM (Control Structure Manipulation)
The sequence structural size is computed by adding all data manipulations identified for every control flow graph
![Page 13: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/13.jpg)
Structural Size MethodStructural Size Method
May 1, 202313
Alt combined fragments (flow graph )Conditional Control Structure
Data manipulation= 1CSM
SS= 2CSM
![Page 14: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/14.jpg)
Structural Size MethodStructural Size Method
May 1, 202314
opt combined fragments (flow graph )Conditional Control Structure
Data manipulation= 1CSM
SS= 1CSM
![Page 15: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/15.jpg)
Structural Size MethodStructural Size Method
May 1, 202315
(flow graph )Iterative Control StructureLoop combined fragment
Data manipulation= 1CSM
SS= N CSM
![Page 16: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/16.jpg)
ISO 25010 Quality ModelISO 25010 Quality Model
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 16
Characteristics
SubCharacteristics
12345
![Page 17: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/17.jpg)
Security in ISO 25010Security in ISO 25010
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 17
the identity of a subject or resource can be proved to be
the one claimed
![Page 18: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/18.jpg)
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 18
Establishment ofauthentication
rules
Number of provided
authentication protocols
Number of requiredauthentication
protocols inthe specification
Number ofauthentication rules
implemented for secure data
Number of authentication
rules required for secure data
Authentication protocols
![Page 19: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/19.jpg)
OutlineOutline
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 19
Introduction Background Proposed Approach Illustrative Example: “GeoNetwork” Conclusion & Perspective
![Page 20: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/20.jpg)
Proposed ApproachProposed Approach
![Page 21: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/21.jpg)
Proposed Approach Proposed Approach Measuring quality attribute based on the functional size and Measuring quality attribute based on the functional size and structural size of authentication in UML sequence diagram (1)structural size of authentication in UML sequence diagram (1)
May 1, 202321
Authentication protocols
![Page 22: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/22.jpg)
Proposed Approach Proposed Approach Measuring quality attribute based on the functional size and Measuring quality attribute based on the functional size and structural size of authentication in UML sequence diagram (1)structural size of authentication in UML sequence diagram (1)
May 1, 202322
![Page 23: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/23.jpg)
Proposed Approach Proposed Approach Measuring quality attribute based on the functional size and Measuring quality attribute based on the functional size and structural size of authentication in UML sequence diagram (1)structural size of authentication in UML sequence diagram (1)
May 1, 202323
![Page 24: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/24.jpg)
Quality subCharacteristic measures
Authenticity measuresQualifiers and QMEs related to the measure in ISO 25023
Qualifiers and QMEs relatedto the proposed measure based on SS and FS
AuthenticationProtocols
QM 1
Ap= Number of provided authentication protocols
Bp=Number of required authentication protocols in the specification
SSa = Structural size of the authentication sequence diagram containing alt combined diagram
Bp= Functional size of sequence diagram describing the authentication functional process
Establishment of
Authentication Rules QM2
Ar = Number of authentication rules implemented for secure data
Br= Number of authentication rules required for secure data
SSl= Structural size of the authentication sequence diagram containing loop combined diagram
Br= Functional size of sequence diagram describing the authentication functional process
Proposed Approach Proposed Approach Measuring quality attribute based on the functional size and Measuring quality attribute based on the functional size and structural size of authentication in UML sequence diagram (1)structural size of authentication in UML sequence diagram (1)
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 24
![Page 25: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/25.jpg)
Proposed ApproachProposed ApproachEvaluating Security Characteristic of Web Application (2)Evaluating Security Characteristic of Web Application (2)
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 25
![Page 26: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/26.jpg)
Proposed ApproachProposed ApproachInterpretation of the Security Characteristic Measured Values (3)Interpretation of the Security Characteristic Measured Values (3)
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 26
Measurement Results are generally between the range of values [0,1] because the SSa or SSl are always equals or lower than Bp, Br respectivelyLet:
Fp = SSa / BpFr = SSl / Br
The ratio between structural size and functional size measurements (Fp or Fr) represents the level of strength of authentication
![Page 27: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/27.jpg)
Proposed Proposed ApproachApproach Interpretation of the Security Characteristic Measured Values (3)Interpretation of the Security Characteristic Measured Values (3)
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 27
The more data movement identified in the application, the more the control structure is likely to be
Consequently, the ratio (Fp or Fr) is proportional
![Page 28: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/28.jpg)
Proposed ApproachProposed Approach Interpretation of the Security Characteristic Measured Values (3)Interpretation of the Security Characteristic Measured Values (3)
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 28
Bp is considered bigger than SSa and Br is considered bigger than SSl
If the measured value Ms is nearer or equal to the min value (the zero)
a weak authenticationis nearer or equal to the max value (the one)
a strong authenticationis in the medium (between 0 and 1; +/- 0.5)
an acceptable authentication
![Page 29: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/29.jpg)
Proposed ApproachProposed ApproachClassification of the Violation of the Authentication (4)Classification of the Violation of the Authentication (4)
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 29
“How the measured value can be explored?” Classify the risk into different categories
![Page 30: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/30.jpg)
OutlineOutline
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 30
Introduction Background Proposed Approach Illustrative Example: “GeoNetwork” Conclusion & Perspective
![Page 31: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/31.jpg)
Includes three partitions: Commuter, Ticket
vending machine, and Bank Allows a Commuter to buy a ticket for a trip
Sequence Diagram: Sequence Diagram: “GeoNetwork” “GeoNetwork”
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 31
1
Applying the COSMIC methodBp ? And Br
2Applying the Stuctural size
methodSSa and SSl
![Page 32: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/32.jpg)
Sequence Diagram: “GeoNetwork” Sequence Diagram: “GeoNetwork”
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 32
Measurement Results ( agregations)
Measurements Functions (Fp ,Fr, F)
Measurements Results
Fp = SSa / Bp Fp = 2 CSM / 13 CFP = 0.15 CSM /CFP
Fr= SSl / Br Fr = 3 CSM / 13 CFP = 0.23 CSM/CFP
F=Fp+Fr/2 0.15+0.23=0.38 CSM/CFP
![Page 33: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/33.jpg)
OutlineOutline
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 33
Introduction Background FC impact in UML-AD Illustrative Example : “GeoNetwork” Conclusion & Perspective
![Page 34: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/34.jpg)
ConclusionConclusion
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 34
Evaluating security in terms of Authenticity sub characteristic
FS SS Combination of FS and SS
Identifying and classifying the risk violation (“Secure”, “Moderate”, “Very high” )
Secure : the measured values is nearer or equal to the max value
Moderate : the measured values is in the medium Very high risk : the measured values is nearer or equal to
the min value
![Page 35: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/35.jpg)
PerspectivePerspective
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 35
Further works
Validating the proposed measure Providing an automatic tool to help
designers/quality assurance in making appropriate decisions related to the security of their web application
![Page 36: Présentation iwsm-mensura 2016](https://reader035.fdocument.pub/reader035/viewer/2022062400/58a19aae1a28ab97118b6651/html5/thumbnails/36.jpg)
Thank you!Thank you!
May 1, 2023© 2016 “Multimedia, InfoRmation Systems and Advanced Computing Laboratory” - MIRACL 36
Hela Hakim
Asma Sellami&
Hanêne Ben-Abdallah
e-mail:[email protected]
[email protected]@kau.edu.sa