Hybrid Computational Modeling for Web Application Security Assessment

Transformation from conventional business management systems to smart digital systems is a recurrent trend in the current era. This has led to digital revolution, and in this context, the hardwired technologies in the software industry play a significant role However, from the beginning, software security remains a serious issue for all levels of stakeholders. Software vulnerabilities lead to intrusions that cause data breaches and result in disclosure of sensitive data, compromising the organizations’ reputation that translates into, financial losses as well. Most of the data breaches are financially motivated, especially in the healthcare sector. The cyber invaders continuously penetrate the E-Health data because of the high cost of the data on the dark web. Therefore, security assessment of healthcare web-based applications demands immediate intervention mechanisms to weed out the threats of cyber-attacks. The aim of this work is to provide efficient and effective healthcare web application security assessment. The study has worked with the hybrid computational model of Multi-Criteria Decision Making (MCDM) based on Analytical Hierarchy Process (AHP) and Technique for Order of Preference by Similarity to Ideal-Solutions (TOPSIS) under the Hesitant Fuzzy (HF) environment. Hesitant fuzzy sets provide effective solutions to address decision making problems where experts counter hesitation to make a decision. The proposed research endeavor will support designers and developers in identifying, selecting and prioritizing the best security attributes for web applications’ development. The empirical analysis concludes that Robustness got highest priority amongst the assessed security attributes set followed by Encryption, Authentication, Limit Access, Revoke Access, Data Validation, and Maintain Audit Trail. The results of this research endeavor depict that this proposed computational procedure would be the most conversant mechanism for determining the web application security. The study also establishes guidelines which the developers can refer for the identification and prioritization of security attributes to build more secure and trustworthy web-based applications.     

Managing Security-Risks for Improving Security-Durability of Institutional Web-Applications: Design Perspective

The advanced technological need, exacerbated by the flexible time constraints, leads to several more design level unexplored vulnerabilities. Security is an extremely vital component in software development; we must take charge of security and therefore analysis of software security risk assumes utmost significance. In order to handle the cyber-security risk of the web application and protect individuals, information and properties effectively, one must consider what needs to be secured, what are the perceived threats and the protection of assets. Security preparation plans, implements, tracks, updates and consistently develops safety risk management activities. Risk management must be interpreted as the major component for tackling security efficiently. In particular, during application development, security is considered as an add-on but not the main issue. It is important for the researchers to stress on the consideration of protection right from the earlier developmental stages of the software. This approach will help in designing software which can itself combat threats and does not depend on external security programs. Therefore, it is essential to evaluate the impact of security risks during software design. In this paper the researchers have used the hybrid Fuzzy AHP-TOPSIS method to evaluate the risks for improving security durability of different Institutional Web Applications. In addition, the e-component of security risk is measured on software durability, and vice versa. The paper’s findings will prove to be valuable for enhancing the security durability of different web applications.     

Hesitant Fuzzy-Sets Based Decision-Making Model for Security Risk Assessment

Security is an important component in the process of developing healthcare web applications. We need to ensure security maintenance; therefore the analysis of healthcare web application's security risk is of utmost importance. Properties must be considered to minimise the security risk. Additionally, security risk management activities are revised, prepared, implemented, tracked, and regularly set up efficiently to design the security of healthcare web applications. Managing the security risk of a healthcare web application must be considered as the key component. Security is, in specific, seen as an add-on during the development process of healthcare web applications, but not as the key problem. Researchers must ensure that security is taken into account right from the earlier developmental stages of the healthcare web application. In this row, the authors of this study have used the hesitant fuzzy-based AHP-TOPSIS technique to estimate the risks of various healthcare web applications for improving security-durability. This approach would help to design and incorporate security features in healthcare web applications that would be able to battle threats on their own, and not depend solely on the external security of healthcare web applications. Furthermore, in terms of healthcare web application's security-durability, the security risk variable is measured, and vice versa. Hence, the findings of our study will also be useful in improving the durability of several web applications in healthcare.     

Evaluating the Impact of Software Security Tactics: A Design Perspective

Design architecture is the edifice that strengthens the functionalities as well as the security of web applications. In order to facilitate architectural security from the web application’s design phase itself, practitioners are now adopting the novel mechanism of security tactics. With the intent to conduct a research from the perspective of security tactics, the present study employs a hybrid multi-criteria decision-making approach named fuzzy analytic hierarchy process-technique for order preference by similarity ideal solution (AHP-TOPSIS) method for selecting and assessing multi-criteria decisions. The adopted methodology is a blend of fuzzy analytic hierarchy process (fuzzy AHP) and fuzzy technique for order preference by similarity ideal solution (fuzzy TOPSIS). To establish the efficacy of this methodology, the results are obtained after the evaluation have been tested on fifteen different web application projects (Online Quiz competition, Entrance Test, and others) of the Babasaheb Bhimrao Ambedkar University, Lucknow, India. The tabulated outcomes demonstrate that the methodology of the Multi-Level Fuzzy Hybrid system is highly effective in providing accurate estimation for strengthening the security of web applications. The proposed study will help experts and developers in developing and managing security from any web application design phase for better accuracy and higher security.     

Fuzzy Based Decision-Making Approach for Estimating Usable-Security of Healthcare Web Applications

Usability and security are often considered contradictory in nature. One has a negative impact on the other. In order to satisfy the needs of users with the security perspective, the relationship and trade-offs among security and usability must be distinguished. Security practitioners are working on developing new approaches that would help to secure healthcare web applications as well increase usability of the web applications. In the same league, the present research endeavour is premised on the usable-security of healthcare web applications. For a compatible blend of usability and security that would fulfill the users’ requirments, this research proposes an integration of the Fuzzy AHP-TOPSIS method for assessing usable-security of healthcare web applications. Since the estimation of security-usability accrately is also a decision making problem, the study employs Multiple Criteria Decision Analysis (MCDA) for selecting the most decisive attributes of usability as well as security. Furthermore, this study also pinpoints the highest priority attributes that can strengthen the usable-security of the healthcare web applications. The effectiveness of the suggested method has been tested on the healthcare web applications of local hospitals in Mecca, Saudi Arabia. The results corroborate that Fuzzy AHP-TOPSIS is indeed a reliable technique that will help the developers to design a healthcare web applications that delivers optimum usable-security.     

An Input–Output Measurable Design for the Security Meter Model to Quantify and Manage Software Security Risk

The need for information security is self-evident. The pervasiveness of this critical topic requires primarily risk assessment and management through quantitative means. To do an assessment, repeated security probes, surveys, and input data measurements must be taken and verified toward the goal of risk mitigation. One can evaluate risk using a probabilistically accurate statistical estimation scheme in a quantitative security meter (SM) model that mimics the events of the breach of security. An empirical study is presented and verified by discrete-event and Monte Carlo simulations. The design improves as more data are collected and updated. Practical aspects of the SM are presented with a real-world example and a risk-management scenario.     

Trustworthiness Evaluation for Permissioned Blockchain-Enabled Applications

As permissioned blockchain becomes a common foundation of blockchain-based circumstances for current organizations, related stakeholders need a means to assess the trustworthiness of the applications involved within. It is extremely important to consider the potential impact brought by the Blockchain technology in terms of security and privacy. Therefore, this study proposes a rigorous security risk management framework for permissioned blockchain-enabled applications. The framework divides itself into different implementation domains, i.e., organization security, application security, consensus mechanism security, node management and network security, host security and perimeter security, and simultaneously provides guidelines to control the security risks of permissioned blockchain applications with respect to these security domains. In addition, a case study, including a security testing and risk evaluation on each stack of a specific organization, is demonstrated as an implementation instruction of our proposed risk management framework. According to the best of our knowledge, this study is one of the pioneer researches that provide a means to evaluate the security risks of permissioned blockchain applications from a holistic point of view. If users can trust the applications that adopted this framework, this study can contribute to the adoption of permissioned blockchain-enabled technologies. Furthermore, application providers can use the framework to perform gap analysis on their existing systems and controls and understand the risks of their applications.     

Multilayer Self-Defense System to Protect Enterprise Cloud

A data breach can seriously impact organizational intellectual property, resources, time, and product value. The risk of system intrusion is augmented by the intrinsic openness of commonly utilized technologies like TCP/IP protocols. As TCP relies on IP addresses, an attacker may easily trace the IP address of the organization. Given that many organizations run the risk of data breach and cyber-attacks at a certain point, a repeatable and well-developed incident response framework is critical to shield them. Enterprise cloud possesses the challenges of security, lack of transparency, trust and loss of controls. Technology eases quickens the processing of information but holds numerous risks including hacking and confidentiality problems. The risk increases when the organization outsources the cloud storage services through the vendor and suffers from security breaches and need to create security systems to prevent data networks from being compromised. The business model also leads to insecurity issues which derail its popularity. An attack mitigation system is the best solution to protect online services from emerging cyber-attacks. This research focuses on cloud computing security, cyber threats, machine learning-based attack detection, and mitigation system. The proposed SDN-based multilayer machine learning-based self-defense system effectively detects and mitigates the cyber-attack and protects cloud-based enterprise solutions. The results show the accuracy of the proposed machine learning techniques and the effectiveness of attack detection and the mitigation system.     

Research on Architecture of Risk Assessment System Based on Block Chain

The risk assessment system has been applied to the information security, energy, medical and other industries. Through the risk assessment system, it is possible to quantify the possibility of the impact or loss caused by an event before or after an event, thereby avoiding the risk or reducing the loss. However, the existing risk assessment system architecture is mostly a centralized architecture, which could lead to problems such as data leakage, tampering, and central cheating. Combined with the technology of block chain, which has the characteristics of decentralization, security and credibility, collective maintenance, and untamperability. This paper proposes a new block chain-based risk assessment system architecture and a consensus mechanism algorithm based on DPOS improvement. This architecture uses an improved consensus mechanism to achieve a safe and efficient risk assessment solving the problem of data tampering in the risk assessment process, avoiding data leakage caused by improper data storage. A convenient, safe and fast risk assessment is achieved in conjunction with the improved consensus mechanism. In addition, by comparing existing risk assessment architecture, the advantages and impacts of the new block chain-based risk assessment system architecture are analyzed.     

Dynamic risk assessment of complex systems using FCM

Analysing risk of today’s complex systems is challenging due to the complex and dynamic nature of systems. The current risk analysis tools are not able to take the complex interactions among risks into account and therefore they can’t predict the behaviour of risks accurately. In an attempt to overcome this shortcoming, this paper proposes an integrated generalised decision support tool using fuzzy cognitive maps for dynamic risk assessment of complex systems. The proposed approach has the ability to prioritise risk factors and more importantly predict and analysis the influences of each individual risk factor/risk set on the other risks or on the outcomes of complex and critical systems by taking into account probability of occurrence and consequences of risks and also considering the complex dependencies between risk factors. These features could provide practitioners with realistic results in critical industries and able them to manage risks more efficiently.     

基于模糊层次分析的跑道侵入风险评估

目的在模糊层次分析理论的基础上,本文从"人-环境-管理"四维度对造成跑道侵入的主要风险因素进行分析,运用基本排序的方法进行单排序,最终得到所有风险因素的危险度排序,从而为跑道安全运行提出相应措施。方法首先构造了1个准则层和4个指标层的三角模糊互补判断矩阵;其次运用模糊层次分析法对造成跑道侵入的主要因素进行了初步分析,克服了层次分析法中判断矩阵的一致性检验过程相当繁琐而且不易操作的缺点;最后利用所述的三角模糊数排序法对跑道侵入风险20个因素进行危险度总排序。结果本文得出7个影响跑道运行安全水平风险因素的重要程度排序,与实际运行结果状况基本相符。结论本文提出的方法能够较好地评估跑道侵入风险因素的危险程度,根据评估结果可有针对性地提出减少和预防跑道侵入风险控制措施,具有一定的实用性。     

A Framework for Systematic Classification of Assets for Security Testing

Over the last decade, a significant increase has been observed in the use of web-based Information systems that process sensitive information, e.g., personal, financial, medical. With this increased use, the security of such systems became a crucial aspect to ensure safety, integrity and authenticity of the data. To achieve the objectives of data safety, security testing is performed. However, with growth and diversity of information systems, it is challenging to apply security testing for each and every system. Therefore, it is important to classify the assets based on their required level of security using an appropriate technique. In this paper, we propose an asset security classification technique to classify the System Under Test (SUT) based on various factors such as system exposure, data criticality and security requirements. We perform an extensive evaluation of our technique on a sample of 451 information systems. Further, we use security testing on a sample extracted from the resulting prioritized systems to investigate the presence of vulnerabilities. Our technique achieved promising results of successfully assigning security levels to various assets in the tested environments and also found several vulnerabilities in them.     

Leukaemia following childhood radiation exposure in the Japanese atomic bomb survivors and in medically exposed groups

Incidence and mortality risks of radiation-associated leukaemia are surveyed in the Japanese atomic bomb (A-bomb) survivors exposed in early childhood and in utero. Leukaemia incidence and mortality risks are also surveyed in 16 other studies of persons who received appreciable doses of ionizing radiation in the course of treatment in childhood and for whom there is adequate dosimetry and cancer incidence or mortality follow-up. Relative risks tend to be lower in the medical series than in the Japanese A-bomb survivors. The relative risks in the medical studies tend to diminish with increasing average therapy dose. After taking account of cell sterilisation and dose fractionation, the apparent differences between the relative risks for leukaemia in the Japanese A-bomb survivors and in the medical series largely disappear. This suggests that cell sterilisation largely accounts for the discrepancy between the relative risks in the Japanese data and the medical studies. Excess absolute risk has also been assessed in four studies, and there is found to be more variability in this measure than in excess relative risk. In particular, there is a substantial difference between the absolute risk in the Japanese atomic bomb survivor data and those in three other (European) populations. In summary, the relative risks of leukaemia in studies of persons exposed to appreciable doses of ionizing radiation in the course of treatment for a variety of malignant and non-malignant conditions in childhood are generally less than those in the Japanese A-bomb survivor data. The effects of cell sterilisation can largely explain the discrepancy between the Japanese and the medical series.     

Synthesis of a web-based dimensional verification system for styling processes

A design methodology is proposed for a web-based collaborative system applicable to styling processes in the distributed environment. By using the developed system, design reviewers of new products are able to confirm geometric shapes, inspect dimensional information of products through measured point data and exchange views with other design reviewers on the internet. Functional requirements for the design of this web-based dimensional verification system are suggested. ActiveX-server architecture and OpenGL plug-in methods using ActiveX controls realize the proposed system. Visualization and dimensional inspection of the measured point data are conducted directly on the web; conversion of point data into a CAD file or VRML form is not required in the styling process. Dimensional verification results and design modification ideas are uploaded through markups and/or XML files during the collaboration processes. The XML files, allowing information sharing on the web, are independent of the platform. It is possible to diversify the information sharing capability among design collaborators. The validity and effectiveness of the developed system are confirmed by case studies.     

Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance. Given the significant cost of commercial tools, this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project. Thus, the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project. The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.     

PROTEUS, a technical and management model for aquatic risk assessment of industrial spills

The assessment of risks to the aquatic environment related to industrial installations is a priority in environmental pollution control in the Netherlands. Major accidents to the surface water such as the Sandoz incident, but also the high number of smaller accidents that occur every year has invoked the need for an effective method to assess these risks. Two different models have been used in this field in the Netherlands over several years. These two software applications, VERIS and RISAM were developed from two different perspectives: VERIS from the perspective of supplying major accidents related information in the safety report, RISAM form the perspective of controlling risks for both smaller and larger facilities that may pollute surface waters through accidents. Both systems comprised particular strong points: VERIS considers safety management aspects in the assessment, RISAM considers differences in surface water vulnerability and involves quantitative probabilities in the assessment. It was decided to integrate both methods and maintain these strong points in the resulting method. This paper describes the new integrated risk assessment method that now has been developed in a concerted effort between the Ministry of Transport, Public Works and Water Management, the Ministry of Housing, Spatial Planning and Environment, and the National Institute for Public Health and Environment. It also describes the essential elements of the computer program PROTEUS that is based on the new method and that makes the assessment of aquatic risks for industrial activities an easy task, partly due to the automatic generation of the assessment report.     

Chemical facility vulnerability assessment project

Sandia National Laboratories, under the direction of the Office of Science and Technology, National Institute of Justice, conducted the chemical facility vulnerability assessment (CFVA) project. The primary objective of this project was to develop, test and validate a vulnerability assessment methodology (VAM) for determining the security of chemical facilities against terrorist or criminal attacks (VAM-CF). The project also included a report to the Department of Justice for Congress that in addition to describing the VAM-CF also addressed general observations related to security practices, threats and risks at chemical facilities and chemical transport.In the development of the VAM-CF Sandia leveraged the experience gained from the use and development of VAs in other areas and the input from the chemical industry and Federal agencies. The VAM-CF is a systematic, risk-based approach where risk is a function of the severity of consequences of an undesired event, the attack potential, and the likelihood of adversary success in causing the undesired event. For the purpose of the VAM-CF analyses Risk is a function of S, L(A), and L(AS), where S is the severity of consequence of an event, L(A) is the attack potential and L(AS) likelihood of adversary success in causing a catastrophic event. The VAM-CF consists of 13 basic steps. It involves an initial screening step, which helps to identify and prioritize facilities for further analysis. This step is similar to the prioritization approach developed by the American Chemistry Council (ACC). Other steps help to determine the components of the risk equation and ultimately the risk. The VAM-CF process involves identifying the hazardous chemicals and processes at a chemical facility. It helps chemical facilities to focus their attention on the most critical areas. The VAM-CF is not a quantitative analysis but, rather, compares relative security risks. If the risks are deemed too high, recommendations are developed for measures to reduce the risk. This paper will briefly discuss the CFVA project and VAM-CF process.     

Risk assessment techniques for civil aviation security

Following the 9/11 terrorists attacks in New York a strong economical effort was made to improve and adapt aviation security, both in infrastructures as in airplanes. National and international guidelines were promptly developed with the objective of creating a security management system able to supervise the identification of risks and the definition and optimization of control measures.Risk assessment techniques are thus crucial in the above process, since an incorrect risk identification and quantification can strongly affect both the security level as the investments needed to reach it.The paper proposes a set of methodologies to qualitatively and quantitatively assess the risk in the security of civil aviation and the risk assessment process based on the threats, criticality and vulnerabilities concepts, highlighting their correlation in determining the level of risk.RAMS techniques are applied to the airport security system in order to analyze the protection equipment for critical facilities located in air-side, allowing also the estimation of the importance of the security improving measures vs. their effectiveness.     

Design and Implementation of Web-Based Systems for Image Segmentation and CBIR

This paper is focused on the design and development of an architecture that is able to provide remote segmentation service to various kinds of images or applications. The system exploits the functionalities offered by the already existing desktop application Isocontour by extending its capabilities toward a client-server environment. In order to achieve this goal, the original Isocontour code has been decomposed to independent modules for processing, storing, and representing purposes. By using the created server components, a web application has been developed to demonstrate how to make the fuzzy image-segmentation service highly available through the Internet. Furthermore, by exploiting the same architecture seen for the Isocontour algorithm, a remote content-based retrieval service for image databases was implemented in order to show the adaptability of this web-based system. Performance evaluation in terms of processing times with different image sizes has been performed in order to compare the web-based solution with the stand-alone one and to prove the reliability of the proposed system     

Assessing Secure OpenID-Based EAAA Protocol to Prevent MITM and Phishing Attacks in Web Apps

To secure web applications from Man-In-The-Middle (MITM) and phishing attacks is a challenging task nowadays. For this purpose, authentication protocol plays a vital role in web communication which securely transfers data from one party to another. This authentication works via OpenID, Kerberos, password authentication protocols, etc. However, there are still some limitations present in the reported security protocols. In this paper, the presented anticipated strategy secures both Web-based attacks by leveraging encoded emails and a novel password form pattern method. The proposed OpenID-based encrypted Email’s Authentication, Authorization, and Accounting (EAAA) protocol ensure security by relying on the email authenticity and a Special Secret Encrypted Alphanumeric String (SSEAS). This string is deployed on both the relying party and the email server, which is unique and trustworthy. The first authentication, OpenID Uniform Resource Locator (URL) identity, is performed on the identity provider side. A second authentication is carried out by the hidden Email’s server side and receives a third authentication link. This Email’s third SSEAS authentication link manages on the relying party (RP). Compared to existing cryptographic single sign-on protocols, the EAAA protocol ensures that an OpenID URL’s identity is secured from MITM and phishing attacks. This study manages two attacks such as MITM and phishing attacks and gives 339 ms response time which is higher than the already reported methods, such as Single Sign-On (SSO) and OpenID. The experimental sites were examined by 72 information technology (IT) specialists, who found that 88.89% of respondents successfully validated the user authorization provided to them via Email. The proposed EAAA protocol minimizes the higher-level risk of MITM and phishing attacks in an OpenID-based atmosphere.