Existing Security scoring methods are expensive to implement, lack management orientation, and are 'best practice' based, and thus have only transient meaning. This research investigates the feasibility of a web application security assessment method based on a security scoring vector (S-vector). The S-vector assessment method would be used by IT administrators to manage the security of their web applications. It shares some analogous features with the R-value for insulation. Like the R-value, it is designed to be used by non-expert decision makers. Like the R-value, the numerical score must be compared with requirements to judge the adequacy (attic insulation requirements are higher than garage door requirements). Unlike the R-value, this characterization will not consist of a single number, but rather a set of numerical characterizations along a number of security dimensions. The proposed research will determine whether a method based on an S-vector can meet these requirements and, if so, how to identify the appropriate elements, how to estimate their values, how to compare performance against requirements, and how to structure and present the results to management. This research is being conducted in partnership with the Commonwealth of Pennsylvania.
State and local governments must manage security by allocating scarce resources to problem web applications, and demonstrate security improvement over their complete set of web applications. If successful, the S-vector approach will identify the most vulnerable web applications and suggest the nature of their weaknesses. S-vector scores will allow governments to benchmark with each other to find what works and what doesn't. In addition, Homeland Security issues will require action: there inherently will be a tension between web access and web application security. An S-vector permits a way to present security targets and assess gaps. Finally, the product of this research may provide opportunities for new high-tech businesses related to security assessment.
|Effective start/end date||8/15/03 → 7/31/05|
- National Science Foundation: $98,987.00