WASM - A Metric for Securing a Web Application

Internet is a medium to connect millions of computers which share and access information all over the world. With the evolution of the web and its increased use in every aspect of life, the need for web security has become imperative. As websites opt for commercial viability, the threat of hackers, viruses, or annoyance attacks becomes more pronounced. Organizations face several security-related challenges. If organizational information is hacked either through the network or through other means, it could incur a heavy cost to the company. A failure in network security could also cost the organization in terms of its goodwill and reputation. This paper identified common threats on the web and classified these threats into various categories, such as accidental, malicious, authorization, application, privacy, and access control threats. This also highlights the three main areas in which web can be secured ie. client side threats, server side threats and network side threats. This paper discusses the primary goals and objectives of security contained within the CIA Triad: Confidentiality, Integrity and Availability. Different types of attackers which are responsible for security of web are also depicted. This paper shows different attacks related to client side, server side and network side threats. Client-side Security threats are classified into: Cross Site Scripting, Cross Site Request Forgery, Broken Authentication and Session Management, Security Misconfiguration and Failure to Restrict URL Access. Server-side Security consists of Structured Query Language (SQL) Injection, Malicious File Execution, Insecure Direct Object Reference, Insecure Cryptographic Storage and Unvalidated Redirects and Forwards. The network threats highlighted are Denial of Service (DoS), Insufficient Transport Layer Protection, Eavesdropping, Data Modification, IP Address Spoofing, Sniffer attacks, Man-in-the-Middle Attack, Phishing, Brute force attack and TCP Session Hijacking. The paper shows the causes of each of the attacks and the web application metrics which were earlier defined are also highlighted. A metric named Web Application Security Metric (WASM) is proposed in this regard to make the web page secure. This metric calculates the sum of the weight of the categories like: Input validation, Authentication, Authorization, Configuration management, Sensitive data, Session management, Cryptography, Parameter manipulation, Exception management and Auditing and logging.