JIS  Vol.4 No.3 , July 2013
Web Security and Log Management: An Application Centric Perspective
ABSTRACT

The World Wide Web has been an environment with many security threats and lots of reported cases of security breaches. Various tools and techniques have been applied in trying to curb this problem, however new attacks continue to plague the Internet. We discuss risks that affect web applications and explain how network-centric and host-centric techniques, as much as they are crucial in an enterprise, lack necessary depth to comprehensively analyze overall application security. The nature of web applications to span a number of servers introduces a new dimension of security requirement that calls for a holistic approach to protect the information asset regardless of its physical or logical separation of modules and tiers. We therefore classify security mechanisms as either infrastructure-centric or application-centric based on what asset is being secured. We then describe requirements for such application-centric security mechanisms.


Cite this paper
A. Kahonge, W. Okello-Odongo, E. Miriti and E. Abade, "Web Security and Log Management: An Application Centric Perspective," Journal of Information Security, Vol. 4 No. 3, 2013, pp. 138-143. doi: 10.4236/jis.2013.43016.
References
[1]   R. T. Fielding and R. N. Taylor, “Principled Design of the Modern Web Architecture,” Proceedings of the 2000 International Conference on Software Engineering, Limerick, 4-11 June 2000, pp. 407-416.

[2]   Acunetix, “SQL Injection: What Is It?” Web Application Security, 2011.

[3]   N. Borhan, R. Mahmod and A. Dehghantanha, “A Framework of TPM, SVM and Boot Control for Securing Forensic Logs,” International Journal of Computer Applications, Vol. 50, No. 13, 2012, pp. 15-19.

[4]   M. Saleh, A. R. Arasteh, A. Sakha and M. Debbabi, “Forensic Analysis of Logs: Modeling and Veri?cation,” Knowledge-Based Systems, Vol. 20, No. 7, 2007, pp. 671-682. doi:10.1016/j.knosys.2007.05.002

[5]   A. Miège and F. Cuppens, “Alert Correlation in a Cooperative Intrusion Detection Framework,” Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, 12-15 May 2002, pp. 202-215.

[6]   B. Solms, “Information Security—A Multidimensional Discipline,” Computer & Security, Vol. 20, No. 6, 2001, pp. 504-508. doi:10.1016/S0167-4048(01)00608-3

[7]   K. R. Kumar, “A Model for Information Security Management in Government,” ISACA Journal, Vol. 4, 2011.

[8]   A. Roichman and E. Gudes, “Fine-Grained Access Control to Web Databases,” Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT’07, Sophia Antipolis, 20-22 June 2007, pp. 31-40.

[9]   Y. Gonen and E. Gudes, “Users Tracking and Roles Mining in Web-Based Applications,” Proceedings of the 2011 Joint EDBT/ICDT Ph.D. Workshop, Uppsala, 25 March 2011, pp. 14-18.

[10]   A. Shulman, “Web-Exposed Databases,” Enterprise Tech Journal, 2007.

[11]   D. R. Tsai, A. Y. Chang, P. C. Liu and H.-C. Chen, “Optimum Tuning of Defense Settings for Common on the Web Applications,” 43rd Annual 2009 International Carnahan Conference on Security Technology, Zurich, 5-8 October 2009, pp. 89-94.

[12]   R. P. Lippmann, et al., “Evaluating and Strengthening Enterprise Network Security Using Attack Graphs,” MIT, Cambridge, 2005.

[13]   G. V. Jourdan, “Securing Large Applications against Command Injections,” 41st Annual IEEE International Carnahan Conference on Security Technology, Ottawa, 8-11 October 2007, pp. 69-78.

[14]   N. Gust, C. Fournet and F. Z. Nardelli, “Reliable Evidence: Auditability by Typing,” 14th European Symposium on Research in Computer Security: ESORICS, SaintMalo, 21-23 September 2009, pp. 168-183.

[15]   Common Criteria, “Security Assurance Components,” Common Criteria for Information Technology Security Evaluation, Version 3.1, 2009.

[16]   A. A. Yavuz and P. Ning, “BAF: An Ef?cient Publicly Veri?able Secure Audit Logging Scheme for Distributed Systems,” Annual Computer Security Applications Conference (ACSAC), Honolulu, 7-11 December 2009, pp. 219-228.

[17]   J. G. Cederquist, et al., “Audit-Based Compliance Control,” International Journal of Information Security, Vol. 6, No. 2-3, 2007, pp. 33-151. doi:10.1007/s10207-007-0017-y

[18]   A. R. Arasteh, M. Debbabi, A. Sakha and M. Saleh, “Analyzing Multiple Logs for Forensic Evidence,” Digital Investigation: The International Journal of Digital Forensics & Incident Response, Vol. 4, No. 1, 2007, pp. 82-91.

[19]   ISO/IEC, “Common Criteria for Information Technology Security Evaluation,” 2009.

[20]   R. Meyer, “Auditing a Corporate Log Server,” SANS Institute InfoSec Reading Room, 2006.

[21]   Moen and McClure, “Web Server Transaction Log Analysis Methodology,” An Evaluation of US GILS Implementation, 1997.

[22]   C. O. Jonathan, “Leveraging the Cloud for Software Security Services,” Ph.D. Thesis, University of Michigan, Michigan, 2012.

[23]   Lufeng, Z., Hong, T., YiMing, C., and JianBo, Z., “Network Security Evaluation through Attack Graph Generation,” World Academy of Science, Engineering and Technology, 2009, pp. 412-415.

[24]   M. E. Locasto, J. P. Janak and S. Stolfo, “Collaborative Distributed Intrusion Detection,” Technical Report, Department of Computer Science, Columbia University, New York, 2004.

[25]   A. R. Moheeb, M. Fabian and T. Andreas, “On the Effectiveness of Distributed Worm Monitoring,” Proceedings of the 14th Conference on USENIX Security Symposium, Baltimore, 31 July-5 August 2005, p. 15.

[26]   European Payments Council, “The Use of Audit Trails in Security Systems: Guidelines for European Banks,” EPC AISBL Secretariat, Brussels, 2010.

[27]   A. M. Kahonge, W. Okello-Odongo and E. K. Miriti, “Increasing Auditability in Web Application Security,” (IJEECS) International Journal of Electrical, Electronics and Computer Systems, Vol. 11, No. 2, 2012. http://www.ijeecs.org/archive/03.December_2012_IJEECS_p21334.pdf 2012

[28]   J. Stemmer, “Detecting Outliers in Web-Based Network Traffic,” University of Twente, Enschede, 2012.

[29]   CRISP-DM Consortium, “CRISP-DM 1.0. Step-by-Step Data Mining Guide,” 1.0 Edition, SPSS, 2000.

 
 
Top