Internet security is a paramount concern for many business and individuals. Daily activities of such business and individuals may depend heavily on the use of “web based” applications. Therefore, the security of such web applications is important. Hence, web applications are tested and assessed to determine whether they are secure. However, there are fundamental problems with the current approaches to security assessment of web applications. By way of background, existing security assessments tend to be manual processes where security analysts examine web applications. The most common approaches used to assess web application security are security penetration testing and source code security review. With the assistance of automatic scanning tools, web application security analysts are able to discover exploitable flaws in web applications and also pinpoint the defects in the source code.
However, there is no uniform or consistent standard or system by which to measure, assess or rate vulnerabilities in or threats to web applications. As a result of the lack of a uniform or consistent standard, the assessment and rating of vulnerabilities and threats vary from one security analyst to another. Similarly, the recommendations in regard to these vulnerabilities and threats also vary from one security analyst to another. For example, two different security analysts assessing the same web application may provide entirely different assessments, ratings, and recommendations for the same web application. This inconsistency in the assessment, rating and recommendations relating to vulnerabilities and threats has negative impacts on the overall value gained from the assessments.
Further, the lack a uniform or consistent standard or system makes integration of the assessments difficult. Without uniformity, the ability to integrate the assessments with each other or with other knowledge is hampered. For example, different assessments may use using different terminologies for the same vulnerability or threat or related aspect. Hence, integration would be difficult.
A further concern in the assessment of security of web based applications results from the fact that security evaluation of web based applications is complex. Detecting potential security vulnerabilities is a process that requires creativity and a thorough knowledge of the entire system, its parts and their interdependencies. Therefore, the quality of a security assessment heavily depends on security analysts' skills and experiences. However, thorough knowledge of the entire system is usually spread over many different areas of expertise. The experts in particular areas are not necessarily in contact with each other and therefore collaboration and sharing of information between different groups may be difficult.
Similarly, the experts in security evaluation are usually not the same people who design, develop and administrate web applications. Therefore, a designer may design a web application without knowledge of potential security vulnerabilities. In practice, it is very common for a system's security to be compromised through a path its designer never have though of. Security analysts who test the web application may realize the potential vulnerabilities and give feedback to a designer to make particular changes. However, this process has at drawbacks. First, the feedback to the web designer is isolated or “in a vacuum” so to speak. For example, a designer may not know why he is being told to make those changes. Without knowing the reason behind the proposed changes to the design, the designer is not apt to remember or incorporate such features in a subsequent design for another web based application. This may lead to the designer designing the same flaw into the next web application. Therefore, the same process will have to be repeated in the next web application due to the same flaw. This is redundant and wasteful. Secondly, the process does not provide the designer the ability to learn of vulnerabilities prior to designing the web application. It would be more efficient for the designer to avoid the problem in the first place. In other words, if the designer could learn of the potential vulnerabilities before designing the web application, they could avoid the vulnerability at the outset.