Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Quantifying the attack surface of a web application

: Heumann, T.; Keller, J.; Türpe, S.

Postprint urn:nbn:de:0011-n-1426245 (189 KByte PDF)
MD5 Fingerprint: 91d3a7c7871408c36346c8a9c696227d
Created on: 14.10.2010

Freiling, F.C. ; Gesellschaft für Informatik -GI-, Fachbereich Sicherheit:
Sicherheit 2010. Sicherheit, Schutz und Zuverlässigkeit : Konferenzband der 5. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e. V. (GI), 5.-7. Oktober 2010 in Berlin
Bonn: GI, 2010 (GI-Edition. Proceedings 170)
ISBN: 978-3-88579-264-2
Gesellschaft für Informatik, Fachbereich Sicherheit (Jahrestagung) <5, 2010, Berlin>
Conference Paper, Electronic Publication
Fraunhofer SIT ()
security metric; vulnerability; application security; security evaluation

The attack surface of a system represents the exposure of application ob- jects to attackers and is affected primarily by architecture and design decisions. Given otherwise consistent conditions, reducing the attack surface of a system or an application is expected to reduce its overall vulnerability. So far, only systems have been considered but not single applications. As web applications provide a large set of applications built upon a common set of concepts and technologies, we choose them as an example, and provide qualitative and quantitative indicators. We propose a multidimensional metric for the attack surface of web applications, and discuss the rationale behind. Our metric is easy to use. It comprises both a scalar numeric indicator for easy comparison and a more detailed vector representation for deeper analysis. The metric can be used to guide security testing and development. We validate the applicability and suitability of the metric with popular web applications, of which knowledge about their vulnerability already exists.