Abstract
Web application injection attacks such as cross site scripting and SQL injection are common and problematic for enterprises. In order to defend against them, practitioners with large heterogeneous system architectures and limited resources struggle to understand the effectiveness of different countermeasures under various conditions. This paper presents an enterprise architecture metamodel that can be used by enterprise decision makers when deciding between different countermeasures for web application injection attacks. The scope of the model is to provide low-effort guidance on an abstraction level of use for an enterprise decision maker. This metamodel is based on a literature review and revised according to the judgment by six domain experts identified through peer-review.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Tsipenyuk, K., Chess, B., McGraw, G.: Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy 3, 81–84 (2005)
Mitropoulos, M.D., Karakoidas, V., Louridas, P., Spinellis, D.: Countering Code Injection Attacks: A Unified Approach. Information Management & Computer Security 19, 3 (2011)
One, A.: Smashing the stack for fun and profit (1996), http://ezano-secu.fr/securite/Applicatif/Smashing_the_stack_for_fun_and_profit.pdf
OWASP: 2010 OWASP Top 10 (2010)
Martin, B., Brown, M., Paller, A., Kirby, D., Christey, S.: 2011 CWE/SANS Top 25 Most Dangerous Software Errors (2011)
Scholtea, T., Balzarottib, D., Kirdac, E.: Have things changed now? An empirical study on input validation vulnerabilities in web applications. Computers and Security (2012)
Suto, L.: Analyzing the Effectiveness of Web Application Firewalls (2011)
Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Computers & Security 24, 31–43 (2005)
Howard, J.D.: An analysis of security incidents on the Internet 1989-1995 (1997)
NVD: National Vulnerability Database, http://nvd.nist.gov/
Pietraszek, T., Berghe, C.: Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)
Sidharth, N., Liu, J.: IAPF: A Framework for Enhancing Web Services Security. The Computer Society (2007)
Vorobiev, A., Han, J.: Security attack ontology for web services. In: Second International Conference on Semantics, Knowledge and Grid, SKG 2006, p. 42. IEEE (2006)
Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Int’l Symp. on Secure Software Engineering, Citeseer (2006)
Zuchlinski, G.: The Anatomy of Cross Site Scripting (November 2003)
Álvarez, G., Petrovi, S.: A new taxonomy of web attacks suitable for efficient encoding. Computers & Security 22, 435–449 (2003)
Stamos, A., Stender, S.: Attacking Web Services: The Next Generation of Vulnerable Enterprise Apps. In: BlackHat 2005 (2005)
Klein, A.: Blind XPath Injection. Whitepaper from Watchfire (2005)
Ghourabi, A., Abbes, T., Bouhoula, A.: Experimental analysis of attacks against web services and countermeasures. In: Proceedings of the 12th International Conference on Information Integration and Web-based Applications & Services, pp. 195–201. ACM (2010)
Nystrom, M.: Sql injection defenses. O’Reilly Media, Inc. (2007)
Shin, Y., Williams, L.: Toward A Taxonomy of Techniques to Detect Cross-site Scripting and SQL Injection Vulnerabilities (2008)
Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM (2005)
Huang, Y., Huang, S.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web, pp. 148–159. ACM (2003)
Shavlik: Shavlik Technologies, http://www.shavlik.com/
McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: Proceedings of the 27th International Conference on Software Engineering, pp. 88–96 (2005)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: Proceedings aof the 2006 IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society (2006)
Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106–113. ACM (2005)
Cisco: Cisco Application Velocity System, http://www.cisco.com/en/US/products/ps6499/index.html
Livshits, B., Martin, M., Lam, M.S.: Securifly: Runtime protection and recovery from web application vulnerabilities (2006)
Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering, 222–232 (1987)
apache-scalp: Apache log analyzer for security, http://code.google.com/p/apache-scalp/
Lankhorst, M.: Enterprise architecture at work: Modelling, communication and analysis. Springer-Verlag New York Inc. (2009)
Lagerström, R.: Analyzing system maintainability using enterprise architecture models. Journal of Enterprise Architecture 3, 33–42 (2007)
Närman, P., Holm, H., Johnson, P., König, J., Chenine, M., Ekstedt, M.: Data accuracy assessment using enterprise architecture. Enterprise Information Systems 5, 37–58 (2011)
Sommestad, T., Ekstedt, M., Holm, H.: The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures. IEEE Systems Journal (to be available)
Cooke, R.: Special issue on expert judgment. Reliability Engineering & System Safety 93, 655–656 (2008)
Weiss, D.J., Shanteau, J.: Empirical Assessment of Expertise. Human Factors: The Journal of the Human Factors and Ergonomics Society 45, 104–116 (2003)
Bolger, F., Wright, G.: Assessing the quality of expert judgment: Issues and analysis. Decision Support Systems 11, 1–24 (1994)
Holm, H., Sommestad, T., Ekstedt, M., Honeth, N.: Indicators of expert judgment and their value: an empirical investigation in the area of cyber security. Expert Systems: The Journal of Knowledge Engineering (to be available)
Bodeau, D.J., Graubart, R., Fabius-Greene, J.: Improving Cyber Security and Mission Assurance Via Cyber Preparedness (Cyber Prep) Levels. In: 2010 IEEE Second International Conference on Social Computing, pp. 1147–1152. IEEE (2010)
Moser, C.: Interview bias. Review of the International Statistical Institute, 28–40 (1951)
Crespi, L.: The interview effect in polling. Public Opinion Quarterly 12, 99–111 (1948)
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Holm, H., Ekstedt, M. (2012). A Metamodel for Web Application Injection Attacks and Countermeasures. In: Aier, S., Ekstedt, M., Matthes, F., Proper, E., Sanz, J.L. (eds) Trends in Enterprise Architecture Research and Practice-Driven Research on Enterprise Transformation. PRET TEAR 2012 2012. Lecture Notes in Business Information Processing, vol 131. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34163-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-34163-2_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34162-5
Online ISBN: 978-3-642-34163-2
eBook Packages: Computer ScienceComputer Science (R0)