SlideShare une entreprise Scribd logo

Cost effective auditing of web applications and networks in smb

Lalit Choudhary
Lalit Choudhary
Formation
1  sur  12
Cost Effective Auditing of Web Applications and Networks in Small, Medium Business Enterprises Shalu Mrs. Neha Garg Department of Computer Science and Engineering Department of Computer Science and Engineering Graphic Era University Graphic Era University Dehradun, India Dehradun, India ABSTRACT Small and Medium Businesses (SMBs) do not have the personnel or resources available to larger organizations - SMBs have to do more with less. Because of these constraints, SMBs need to focus on the issues that represent the highest risk to their businesses. This webcast will review web application vulnerabilities such as SQL injection and Cross-Site Scripting (XSS) that represent the most risk and why the impact of these vulnerabilities is so great. A review of options for identifying these vulnerabilities and common approaches to addressing them will also be discussed. With this information SMBs will have the information they need to get the most risk reduction at the lowest cost possible. Small and medium sized businesses may need to adapt their web application security strategy to focus on those aspects that best utilize their time, budget and resources. There are many tools for available for web applications testing Web Application testing with SAHI tool which has been showcased already is a tool for automating web application testing. It also exposes the ability to be exact when needed, making it very suitable for any web application. It even works with older scripts. Thereby it fits into the auditing requirements of the SMB’s. Information Security Management Systems (ISMS) standards known colloquially as "ISO27k" and based at ISO27001security.com. The primary aim of ISMS is to contribute to the development of the new standard ISO/IEC 27007 by providing what is experienced ISMS implementers and IT/ISMS auditors. A secondary aim is to provide a pragmatic and useful guideline for those involved in auditing ISMSs. The ISMS standard is preferred for auditing network environment as it ensures highest optimal usage, efficiency and ISO specified practices. The SMB’s by using a range of open source tools in an integrated environment as discussed in this project can cover most of the activities done by an auditor before an audit. 1
A large range of tasks which form the first three phases can be covered by the proposed integrated tool environment. Technical compliance tests may be necessary to verify that IT systems are configured in accordance with the organization’s information security policies, standards and guidelines. Automated configuration checking and vulnerability assessment tools may speed up the rate at which technical compliance checks are performed but potentially introduce their own security issues that need to be taken into account. Advantages: i) Cost effective ii) Reduce time of auditing iii) Reduction in number of man days charged by the network auditor. iv) Pre-closing of vulnerabilities thereby pro-actively protecting the hardware environment. v) Pre-closing of vulnerabilities thereby pro-actively protecting the web applications. During the fieldwork phase, audit evidence is gathered by the auditor/s working methodically through the work plan or checklist, for example interviewing staff, managers and other stakeholders associated with the ISMS, reviewing ISMS documents, printouts and data (including records of ISMS activities such as security log reviews), observing ISMS processes in action and checking system security configurations etc. Pre-Audit tests which are already performed by the system administrator of SMB’s to validate reduces to a great extent the work and the audit test to be performed by the auditor. The integrated test tool environment discussed in this project combines the effective performance of open source tools used for both the hardware and software aspects of SMB’s. Thus reducing a lot of time which is required for independent testing of web applications on one hand and network environment on the other. KEYWORDS: Web application, java scripts, DOM, multithread 2
Table of Contents Page No. 1. Introduction 7 1.1 Scope 7 1.2 Principles of auditing 7 1.3 Managing an audit programme 7 2. Technique description 9 2.1 Sahi Architecture 9 3. Description of the tool used for simulation 10 3.1 Getting Started 10 3.2 Prerequisites 10 3.3 Download Sahi OS 10 3.4 Installation of Sahi 10 3.5 Sahi starting 10 4. Experiments and Results 11 4.1 Recording through Sahi 11 4.2 Playing back through Sahi 12 4.3 View Logs 12 5. Problem extended for dissertation 13 6. Timeline Chart of work done and work to be completed 14 7. References 15 8. Figures Fig-1 8 Fig-2 9 Fig-3 10 Fig-4 11 Fig-5 12 3
Chapter 1 1. Introduction, Background 1.1 Scope The ISMS guideline provides advice to IT auditors reviewing compliance with the ISO/IEC 27000 family of standards, principally ISO/IEC 27001 (the ISMS certification standard) and to a lesser extent ISO/IEC 27002 (the code of practice for information security management). It is also meant to help those who are implementing or have implemented the ISO/IEC 27000 family of standards, to conduct internal audits and management reviews of their ISMS. Like the other related standards, it is generic and needs to be tailored to the specific requirements of each situation. In particular, it point out that audits are best planned and conducted in relation to the risks facing the organization being audited, in other words the starting point for audit planning is an initial assessment of the main risks (commonly known as a pre-audit survey or gap analysis). As with ISO/IEC 27001 and ISO/IEC 27002, being risk-based provides a natural priority to the audit tests and relates directly to the organization's business requirements for information security. 1.2 Principles of auditing Important but generic audit principles e.g. independent evaluation against agreed criteria, plus more specific principles aimed at ISMS audits In all matters related to the audit, the ISMS auditor should be independent of the auditee in both attitude and appearance. The ISMS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment. Information security is a dynamic field with frequent changes to the risks (i.e. the threats, vulnerabilities and/or impacts), controls and environment. It is therefore important that auditors auditing information security controls should maintain knowledge of the state of the art (e.g. emerging information security threats and currently-exploited vulnerabilities) and the organizational situation (e.g. changing business processes and relationships, technology changes). 1.3 Managing an audit programme Advice on planning and scoping individual ISMS audits within the overall audit work programme, e.g. the idea of combining wide but shallow ISMS audits with more narrow but deeper audits on areas of particular concern. ISMS audits at multi-site organizations including multinationals and ‘group’ structures, where comparisons between the ISMSs in operation within individual business units can help share and promote good practices Auditing business partners' ISMSs, emphasizing the value of ISO/IEC 27001 certification as a means of gaining a level of confidence in the status of their ISMSs without necessarily having to do the audit work Developing an internal program for auditing the ISMS. From an IRCA point of view you develop an Audit Plan when preparing to audit an organization. This plan is derived from the "Scope of Registration" document that an individual fills out when requesting a certification audit from a registrar. Besides the scope of registration the domain definition will also feed the audit plan. 4
The activities performed by a network auditor as per the Information Security Management Systems (ISMS) standards is as below : Fig-1: Audi Activi ties of Networks The following checklist is common. It reflects and refers to ISO/IEC 27001's requirements for Information Security Management Systems without regard to any specific ISMS requirements that an individual organization might have (for example if they are subject to legal, regulatory or contractual obligations to implement particular information security controls). The checklist is primarily intended to guide, or to be adapted and used by, competent auditors including those working for internal audit functions, external audit bodies and ISMS certification bodies. It can also be used for internal management reviews of the ISMS including pre-certification checks to determine whether the ISMS is in a fit state to be formally audited. Finally, it serves as a general guide to the likely depth and breadth of coverage in ISMS certification audits, helping the organization to prepare the necessary records and information (identified in bold below) that the auditors will probably want to review. The audit tests noted below are intended as prompts or reminders of the main aspects to be checked by competent, qualified and experienced IT auditors. They do not cover every single aspect of ISO/IEC 27001. They are not meant to be asked verbatim or checked-off piecemeal. They are not suitable for use by inexperienced auditors working without supervision. 5
Chapter 2 2. Technique description 2.1 Sahi Architecture: The architecture of Sahi allows Sahi to be used on any browser or operating system. Sahi relies on two core technologies/concepts: 1. HTTP proxy – to inject code 2. Javascript code – to find elements and emulate actions Both these technologies are basic building blocks of internet technologies and will necessarily be supported by all browsers, making Sahi very easily extensible to newer browsers or newer versions of browsers. Sahi uses a HTTP proxy at its core to inject javascript into web pages. The injected Javascript uses custom code to identify elements on the browser and simulate actions like click, type etc. on them. Fig-2: Java based proxy server injects java scripts code Html responses which pass through the proxy are modified such that JavaScript is injected at the start and the end of the response. This allows the browser to record and playback scripts and talk back to the proxy when needed. Apart from handling requests for pages that the browser requests, Sahi’s proxy also handles custom commands related to recording, playback etc. which the browser sends. 6
Chapter 3 3. Description of the tool used for simulation 3.1 Getting Started 3.2 Prerequisites Java 1.5 or above is needed for running Sahi. 3.3 Download Sahi OS Download Sahi OS from http://sahi.co.in 3.4 Installation of Sahi Once Sahi is downloaded, double click on the jar file to run the installer. Fig-3: Sahi dashboard 3.5 Starting Sahi Start Sahi Dashboard by any of the following methods: 1) Double click on the desktop shortcut 2) Go to Start -> All Programs -> Sahi -> Start Sahi 3) Start from the command line. Windows: – Go to <Sahi>userdatabin and run start_dashboard.bat The Sahi Dashboard starts the Sahi proxy, and allows launching of different browsers. Sahi automatically modifies the browser’s proxy settings, so that requests go through the Sahi Proxy (localhost:9999) 7
Chapter 4 4. Experiments and Results 4.1 Recording through Sahi Click on any browser on the Dashboard. A browser window should open with the following screen Fig-4: Sahi controller Press ALT and double click on the window which you want to record. The Sahi Controller will pop up. (If that does not work, press CTRL and ALT keys together and then double click. Make sure popup blockers are turned off) On the controller, go to the Record tab. Give a name for the script, and click ‘Record’. (.sah is optional) Navigate on your website like you normally would. Most actions on the page will now get recorded. Add an assertion: i) Move the mouse over any html element while pressing Ctrl key. The Accessor field will get populated in the controller. ii) Click the “Assert” button to generate assertions for the element. They will appear in the “Evaluate Expression” box. iii) Click “Test —>” to check that the assertions are true. You can evaluate any javascript using “Evaluate Expression” and “Test —>”. Actions performed via the controller will not be automatically recorded. Only actions performed directly on the page are automatically recorded. This lets you experiment on the webpage at recording time without impacting the script. iv) Once satisfied, click on “Append to Script”. This will add the assertions to the script. v) Click “Stop” to finish recording. 8
Fig-5: Sahi recording Note that the controller can be closed and reopened at any time, without disrupting recording. The recorded script is stored in <sahi_pro>userdatascripts directory. The recorded script can be viewed and edited easily through any text editor. Sahi Scripts are simple text files which use Javascript syntax. The script can be edited even while recording, so that logical segregation into functions etc. can be done as recording happens. 4.2 Playing back through Sahi Running a test from the controller Open the Sahi controller (ALT-Dbl click on the page). Click on “Playback” tab Enter the script name in the “File:” field (with the help of the auto completion feature) Enter the start URL of the test. Eg. If you had started recording from http://sahi.co.in/demo/training/, use that URL. Click ‘Set’. Click ‘Play’. Steps will start executing, and the controller will be updated accordingly. Once finished, SUCCESS or FAILURE will be displayed at the end of the steps. 4.3 View Logs On the controller, go to Playback tab and click on “View Logs” link at the bottom right. It will open a window with the results neatly formatted in HTML. Clicking on a line in the logs will drill down to exact line in script. Logs show all the assertion in green. If the assertion has failed it will show in red. You can click on any of these lines to go into the line of script to debug. 9
Chapter 5 5. Problem extended for dissertation Small, medium business enterprises have financial constrained and for them is it difficult to pay lots of money to auditor. And there are many Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general public security requirements impel them to devote the utmost attention and priority to information security risks. If a service is not tested then there will be no information about its security or insecurity. A security auditing is unlikely to provide information about new vulnerabilities, especially those discovered after the test is carried out. Vulnerability assessments that include careful diagnostic reviews of all servers and network devices will definitely identify more issues faster than a "black box" test. The chief objective of work is to do pre auditing in order to minimize the cost of auditing, time of auditing in Small, medium business enterprises. 10
Chapter 6 6. Timeline Chart of work done and work to be completed i) Testing of web application, records, and playbacks has been completed. ii) Survey of network auditing tools available and their efficiency vis-a-vis each other has been completed. iii) Study of ISMS standards for network auditing has been completed. iv) Performance of network audit tools has to be checked. v) Integration and assimilation of tools has to be done for the selected SMB vi) Cost effective report of the environment developed has to be made. 11
References [1] Ramy K. Khalil, Fayez W. Zaki , Mohamed M. Ashour, and Mohamed A. Mohamed, “A study of network security systems,” IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.6, June 2010, pp. 204–212. [2] Mr. V. K. Pachghare and Dr. Parag kulkarni, “Network security based on pattern matching: an overview,” IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.10, October 2008, pp. 314–318. [3] Kapil Kumar Gupta, Baikunth Nath (Sr. Member IEEE) and Kotagiri Ramamohanarao, “Network security framework,” IJCSNS International Journal of Computer Science and Network Security, VOL. 6 No.7B, July 2006, pp. 151–157. [4] Kulvinder Singh, Rakesh Kumar and Iqbal Kaur, “Testing web based applications using finite state machines employing genetic algorithm,” Faculty of Computer Science & Engineering, published in International Journal of Engineering Science and Technology, Vol. 2(12), 6931-6941, 2010. [5] Hazlifah Mohd Rusli, Suhaimi Ibrahim and Mazidah Puteh, “Testing web services composition: a mapping study,” IBIMA Publishing, Communications of the IBIMA, Article ID 598357, Vol. 2, 12 pages, 2011. [6] Mohd. Ehmer Khan, “Different forms of software testing techniques for finding errors,” Department of Information Technology, Al Musanna College of Technology, Sultanate of Oman, IJCSI International Journal of Computer Science Issues, Vol. 7, Issue 3, No 1, May 2010. [7] Los Alamitos, CA: IEEE Computer Society Press, “IEEE Standard Glossary of Software Engineering Terminology,” IEEE Std 610.12- 28 sep 1990. [8] Young Gun Jang, Hoon Il Choi and Chan Kon Park, “Implementation of home network security system based on remote management server,” IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.2, February 2007, pp. 267–274. [9] W Makasiranondh, S P Maj and D Veal, “An integrated multimedia based platform for teaching network security,” IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.12, December 2010 [10] Igor Kotenko and Mikhail Stepashkin, “Analyzing network security using malefactor action graphs,” IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.6, June 2006, pp. 226–235. 12

Recommandé

Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
 
Testing guide
Testing guideTesting guide
Testing guideMyneni Swapna
 
50120140502011
5012014050201150120140502011
50120140502011IAEME Publication
 
C90 Security Service
C90 Security ServiceC90 Security Service
C90 Security Servicechristoboshoff
 
Fraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer SIT
 
CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013Ian Sommerville
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineeringsoftware-engineering-book
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327vimal Kumar Gupta
 

Recommandé

Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
 
Testing guide
Testing guideTesting guide
Testing guideMyneni Swapna
 
50120140502011
5012014050201150120140502011
50120140502011IAEME Publication
 
C90 Security Service
C90 Security ServiceC90 Security Service
C90 Security Servicechristoboshoff
 
Fraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer SIT
 
CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013Ian Sommerville
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineeringsoftware-engineering-book
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327vimal Kumar Gupta
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
Ch9 evolution
Ch9 evolutionCh9 evolution
Ch9 evolutionsoftware-engineering-book
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9Ian Sommerville
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
2 E231 Description Afman 2108
2 E231 Description Afman 21082 E231 Description Afman 2108
2 E231 Description Afman 2108dberglund33
 
Oerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of ActionOerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of Actiontcollins3413
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentNicole Gaehle, MSIST
 
Engineering Software Products: 4. software architecture
Engineering Software Products: 4. software architectureEngineering Software Products: 4. software architecture
Engineering Software Products: 4. software architecturesoftware-engineering-book
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsVittorio Giovara
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Ian Sommerville
 
Ch12-Software Engineering 9
Ch12-Software Engineering 9Ch12-Software Engineering 9
Ch12-Software Engineering 9Ian Sommerville
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
Developing software analyzers tool using software reliability growth model
Developing software analyzers tool using software reliability growth modelDeveloping software analyzers tool using software reliability growth model
Developing software analyzers tool using software reliability growth modelIAEME Publication
 
Ch10 dependable systems
Ch10 dependable systemsCh10 dependable systems
Ch10 dependable systemssoftware-engineering-book
 
EEE scenario : Blending indoors & outdoors
EEE scenario : Blending indoors & outdoorsEEE scenario : Blending indoors & outdoors
EEE scenario : Blending indoors & outdoorsMar Pérez-Sanagustín
 
Space shuttle slv
Space shuttle slvSpace shuttle slv
Space shuttle slvmaestromario
 
PhD Thesis: Operationalization of Collaborative Blended Learning Scripts
PhD Thesis: Operationalization of Collaborative Blended Learning ScriptsPhD Thesis: Operationalization of Collaborative Blended Learning Scripts
PhD Thesis: Operationalization of Collaborative Blended Learning ScriptsMar Pérez-Sanagustín
 
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...Mar Pérez-Sanagustín
 

Contenu connexe

Tendances

CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9Ian Sommerville
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
2 E231 Description Afman 2108
2 E231 Description Afman 21082 E231 Description Afman 2108
2 E231 Description Afman 2108dberglund33
 
Oerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of ActionOerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of Actiontcollins3413
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentNicole Gaehle, MSIST
 
Engineering Software Products: 4. software architecture
Engineering Software Products: 4. software architectureEngineering Software Products: 4. software architecture
Engineering Software Products: 4. software architecturesoftware-engineering-book
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsVittorio Giovara
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Ian Sommerville
 
Ch12-Software Engineering 9
Ch12-Software Engineering 9Ch12-Software Engineering 9
Ch12-Software Engineering 9Ian Sommerville
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
Developing software analyzers tool using software reliability growth model
Developing software analyzers tool using software reliability growth modelDeveloping software analyzers tool using software reliability growth model
Developing software analyzers tool using software reliability growth modelIAEME Publication
 

Tendances (18)

CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013
 
Ch9 evolution
Ch9 evolutionCh9 evolution
Ch9 evolution
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
2 E231 Description Afman 2108
2 E231 Description Afman 21082 E231 Description Afman 2108
2 E231 Description Afman 2108
 
Oerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of ActionOerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of Action
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements Document
 
Engineering Software Products: 4. software architecture
Engineering Software Products: 4. software architectureEngineering Software Products: 4. software architecture
Engineering Software Products: 4. software architecture
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related Systems
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)
 
Ch12-Software Engineering 9
Ch12-Software Engineering 9Ch12-Software Engineering 9
Ch12-Software Engineering 9
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
 
Developing software analyzers tool using software reliability growth model
Developing software analyzers tool using software reliability growth modelDeveloping software analyzers tool using software reliability growth model
Developing software analyzers tool using software reliability growth model
 
Ch10 dependable systems
Ch10 dependable systemsCh10 dependable systems
Ch10 dependable systems
 

En vedette

EEE scenario : Blending indoors & outdoors
EEE scenario : Blending indoors & outdoorsEEE scenario : Blending indoors & outdoors
EEE scenario : Blending indoors & outdoorsMar Pérez-Sanagustín
 
PhD Thesis: Operationalization of Collaborative Blended Learning Scripts
PhD Thesis: Operationalization of Collaborative Blended Learning ScriptsPhD Thesis: Operationalization of Collaborative Blended Learning Scripts
PhD Thesis: Operationalization of Collaborative Blended Learning ScriptsMar Pérez-Sanagustín
 
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...Mar Pérez-Sanagustín
 
MUE2012-Space-aware Design Factors for Located Learning Activities Supported ...
MUE2012-Space-aware Design Factors for Located Learning Activities Supported ...MUE2012-Space-aware Design Factors for Located Learning Activities Supported ...
MUE2012-Space-aware Design Factors for Located Learning Activities Supported ...Mar Pérez-Sanagustín
 
20130521 interactive mobilesystems-uploaded
20130521 interactive mobilesystems-uploaded20130521 interactive mobilesystems-uploaded
20130521 interactive mobilesystems-uploadedMar Pérez-Sanagustín
 

En vedette (7)

EEE scenario : Blending indoors & outdoors
EEE scenario : Blending indoors & outdoorsEEE scenario : Blending indoors & outdoors
EEE scenario : Blending indoors & outdoors
 
Space shuttle slv
Space shuttle slvSpace shuttle slv
Space shuttle slv
 
PhD Thesis: Operationalization of Collaborative Blended Learning Scripts
PhD Thesis: Operationalization of Collaborative Blended Learning ScriptsPhD Thesis: Operationalization of Collaborative Blended Learning Scripts
PhD Thesis: Operationalization of Collaborative Blended Learning Scripts
 
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...
Alpine Rendez-Vous 2013: Summary of the Workshop Smart Cities Learning: Horiz...
 
MUE2012-Space-aware Design Factors for Located Learning Activities Supported ...
MUE2012-Space-aware Design Factors for Located Learning Activities Supported ...MUE2012-Space-aware Design Factors for Located Learning Activities Supported ...
MUE2012-Space-aware Design Factors for Located Learning Activities Supported ...
 
20130521 interactive mobilesystems-uploaded
20130521 interactive mobilesystems-uploaded20130521 interactive mobilesystems-uploaded
20130521 interactive mobilesystems-uploaded
 
3D-Visualisaties
3D-Visualisaties3D-Visualisaties
3D-Visualisaties
 

Similaire à Cost effective auditing of web applications and networks in smb

Introduction to ISO29110
Introduction to ISO29110Introduction to ISO29110
Introduction to ISO29110Krit Kamtuo
 
Reliability study and analysis on open source enterprise resource planning so...
Reliability study and analysis on open source enterprise resource planning so...Reliability study and analysis on open source enterprise resource planning so...
Reliability study and analysis on open source enterprise resource planning so...Mayank Baheti
 
DESQA a Software Quality Assurance Framework
DESQA a Software Quality Assurance FrameworkDESQA a Software Quality Assurance Framework
DESQA a Software Quality Assurance FrameworkIJERA Editor
 
“Scrumbear” framework for solving traditional scrum model problems
“Scrumbear” framework for solving traditional scrum model problems“Scrumbear” framework for solving traditional scrum model problems
“Scrumbear” framework for solving traditional scrum model problemsjournalBEEI
 
Software reliability engineering
Software reliability engineeringSoftware reliability engineering
Software reliability engineeringMark Turner CRP
 
Achieving observability-in-modern-applications
Achieving observability-in-modern-applicationsAchieving observability-in-modern-applications
Achieving observability-in-modern-applicationsJulio Antúnez Tarín
 
Deployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreDeployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreIRJET Journal
 
IRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET Journal
 
Soa Test Methodology
Soa Test MethodologySoa Test Methodology
Soa Test Methodologychintala999
 
PROPOSING AUTOMATED REGRESSION SUITE USING OPEN SOURCE TOOLS FOR A HEALTH CAR...
PROPOSING AUTOMATED REGRESSION SUITE USING OPEN SOURCE TOOLS FOR A HEALTH CAR...PROPOSING AUTOMATED REGRESSION SUITE USING OPEN SOURCE TOOLS FOR A HEALTH CAR...
PROPOSING AUTOMATED REGRESSION SUITE USING OPEN SOURCE TOOLS FOR A HEALTH CAR...ijseajournal
 
Software Testing - Online Guide
Software Testing - Online GuideSoftware Testing - Online Guide
Software Testing - Online Guidebigspire
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENTROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENTIndium Software
 
Clone of an organization
Clone of an organizationClone of an organization
Clone of an organizationIRJET Journal
 
3Audit Software & Tools.pptx
3Audit Software & Tools.pptx3Audit Software & Tools.pptx
3Audit Software & Tools.pptxjack952975
 
A Comparative Study of Different types of Models in Software Development Life...
A Comparative Study of Different types of Models in Software Development Life...A Comparative Study of Different types of Models in Software Development Life...
A Comparative Study of Different types of Models in Software Development Life...IRJET Journal
 
Ch5 software imprementation1.0
Ch5 software imprementation1.0Ch5 software imprementation1.0
Ch5 software imprementation1.0Kittitouch Suteeca
 

Similaire à Cost effective auditing of web applications and networks in smb (20)

Introduction to ISO29110
Introduction to ISO29110Introduction to ISO29110
Introduction to ISO29110
 
Reliability study and analysis on open source enterprise resource planning so...
Reliability study and analysis on open source enterprise resource planning so...Reliability study and analysis on open source enterprise resource planning so...
Reliability study and analysis on open source enterprise resource planning so...
 
DESQA a Software Quality Assurance Framework
DESQA a Software Quality Assurance FrameworkDESQA a Software Quality Assurance Framework
DESQA a Software Quality Assurance Framework
 
Sample report
Sample reportSample report
Sample report
 
“Scrumbear” framework for solving traditional scrum model problems
“Scrumbear” framework for solving traditional scrum model problems“Scrumbear” framework for solving traditional scrum model problems
“Scrumbear” framework for solving traditional scrum model problems
 
Software reliability engineering
Software reliability engineeringSoftware reliability engineering
Software reliability engineering
 
Achieving observability-in-modern-applications
Achieving observability-in-modern-applicationsAchieving observability-in-modern-applications
Achieving observability-in-modern-applications
 
Deployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreDeployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V Core
 
Aim crisp handout
Aim crisp handoutAim crisp handout
Aim crisp handout
 
IRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software DesignIRJET- Software Architecture and Software Design
IRJET- Software Architecture and Software Design
 
Soa Test Methodology
Soa Test MethodologySoa Test Methodology
Soa Test Methodology
 
PROPOSING AUTOMATED REGRESSION SUITE USING OPEN SOURCE TOOLS FOR A HEALTH CAR...
PROPOSING AUTOMATED REGRESSION SUITE USING OPEN SOURCE TOOLS FOR A HEALTH CAR...PROPOSING AUTOMATED REGRESSION SUITE USING OPEN SOURCE TOOLS FOR A HEALTH CAR...
PROPOSING AUTOMATED REGRESSION SUITE USING OPEN SOURCE TOOLS FOR A HEALTH CAR...
 
Cloud Testing Research
Cloud Testing ResearchCloud Testing Research
Cloud Testing Research
 
Software Testing - Online Guide
Software Testing - Online GuideSoftware Testing - Online Guide
Software Testing - Online Guide
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
 
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENTROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
 
Clone of an organization
Clone of an organizationClone of an organization
Clone of an organization
 
3Audit Software & Tools.pptx
3Audit Software & Tools.pptx3Audit Software & Tools.pptx
3Audit Software & Tools.pptx
 
A Comparative Study of Different types of Models in Software Development Life...
A Comparative Study of Different types of Models in Software Development Life...A Comparative Study of Different types of Models in Software Development Life...
A Comparative Study of Different types of Models in Software Development Life...
 
Ch5 software imprementation1.0
Ch5 software imprementation1.0Ch5 software imprementation1.0
Ch5 software imprementation1.0
 

Dernier

MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMr Bounab Samir
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...DhatriParmar
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxkarenfajardo43
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 

Dernier (20)

MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdf
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 

Cost effective auditing of web applications and networks in smb

  • 1. Cost Effective Auditing of Web Applications and Networks in Small, Medium Business Enterprises Shalu Mrs. Neha Garg Department of Computer Science and Engineering Department of Computer Science and Engineering Graphic Era University Graphic Era University Dehradun, India Dehradun, India ABSTRACT Small and Medium Businesses (SMBs) do not have the personnel or resources available to larger organizations - SMBs have to do more with less. Because of these constraints, SMBs need to focus on the issues that represent the highest risk to their businesses. This webcast will review web application vulnerabilities such as SQL injection and Cross-Site Scripting (XSS) that represent the most risk and why the impact of these vulnerabilities is so great. A review of options for identifying these vulnerabilities and common approaches to addressing them will also be discussed. With this information SMBs will have the information they need to get the most risk reduction at the lowest cost possible. Small and medium sized businesses may need to adapt their web application security strategy to focus on those aspects that best utilize their time, budget and resources. There are many tools for available for web applications testing Web Application testing with SAHI tool which has been showcased already is a tool for automating web application testing. It also exposes the ability to be exact when needed, making it very suitable for any web application. It even works with older scripts. Thereby it fits into the auditing requirements of the SMB’s. Information Security Management Systems (ISMS) standards known colloquially as "ISO27k" and based at ISO27001security.com. The primary aim of ISMS is to contribute to the development of the new standard ISO/IEC 27007 by providing what is experienced ISMS implementers and IT/ISMS auditors. A secondary aim is to provide a pragmatic and useful guideline for those involved in auditing ISMSs. The ISMS standard is preferred for auditing network environment as it ensures highest optimal usage, efficiency and ISO specified practices. The SMB’s by using a range of open source tools in an integrated environment as discussed in this project can cover most of the activities done by an auditor before an audit. 1
  • 2. A large range of tasks which form the first three phases can be covered by the proposed integrated tool environment. Technical compliance tests may be necessary to verify that IT systems are configured in accordance with the organization’s information security policies, standards and guidelines. Automated configuration checking and vulnerability assessment tools may speed up the rate at which technical compliance checks are performed but potentially introduce their own security issues that need to be taken into account. Advantages: i) Cost effective ii) Reduce time of auditing iii) Reduction in number of man days charged by the network auditor. iv) Pre-closing of vulnerabilities thereby pro-actively protecting the hardware environment. v) Pre-closing of vulnerabilities thereby pro-actively protecting the web applications. During the fieldwork phase, audit evidence is gathered by the auditor/s working methodically through the work plan or checklist, for example interviewing staff, managers and other stakeholders associated with the ISMS, reviewing ISMS documents, printouts and data (including records of ISMS activities such as security log reviews), observing ISMS processes in action and checking system security configurations etc. Pre-Audit tests which are already performed by the system administrator of SMB’s to validate reduces to a great extent the work and the audit test to be performed by the auditor. The integrated test tool environment discussed in this project combines the effective performance of open source tools used for both the hardware and software aspects of SMB’s. Thus reducing a lot of time which is required for independent testing of web applications on one hand and network environment on the other. KEYWORDS: Web application, java scripts, DOM, multithread 2
  • 3. Table of Contents Page No. 1. Introduction 7 1.1 Scope 7 1.2 Principles of auditing 7 1.3 Managing an audit programme 7 2. Technique description 9 2.1 Sahi Architecture 9 3. Description of the tool used for simulation 10 3.1 Getting Started 10 3.2 Prerequisites 10 3.3 Download Sahi OS 10 3.4 Installation of Sahi 10 3.5 Sahi starting 10 4. Experiments and Results 11 4.1 Recording through Sahi 11 4.2 Playing back through Sahi 12 4.3 View Logs 12 5. Problem extended for dissertation 13 6. Timeline Chart of work done and work to be completed 14 7. References 15 8. Figures Fig-1 8 Fig-2 9 Fig-3 10 Fig-4 11 Fig-5 12 3
  • 4. Chapter 1 1. Introduction, Background 1.1 Scope The ISMS guideline provides advice to IT auditors reviewing compliance with the ISO/IEC 27000 family of standards, principally ISO/IEC 27001 (the ISMS certification standard) and to a lesser extent ISO/IEC 27002 (the code of practice for information security management). It is also meant to help those who are implementing or have implemented the ISO/IEC 27000 family of standards, to conduct internal audits and management reviews of their ISMS. Like the other related standards, it is generic and needs to be tailored to the specific requirements of each situation. In particular, it point out that audits are best planned and conducted in relation to the risks facing the organization being audited, in other words the starting point for audit planning is an initial assessment of the main risks (commonly known as a pre-audit survey or gap analysis). As with ISO/IEC 27001 and ISO/IEC 27002, being risk-based provides a natural priority to the audit tests and relates directly to the organization's business requirements for information security. 1.2 Principles of auditing Important but generic audit principles e.g. independent evaluation against agreed criteria, plus more specific principles aimed at ISMS audits In all matters related to the audit, the ISMS auditor should be independent of the auditee in both attitude and appearance. The ISMS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment. Information security is a dynamic field with frequent changes to the risks (i.e. the threats, vulnerabilities and/or impacts), controls and environment. It is therefore important that auditors auditing information security controls should maintain knowledge of the state of the art (e.g. emerging information security threats and currently-exploited vulnerabilities) and the organizational situation (e.g. changing business processes and relationships, technology changes). 1.3 Managing an audit programme Advice on planning and scoping individual ISMS audits within the overall audit work programme, e.g. the idea of combining wide but shallow ISMS audits with more narrow but deeper audits on areas of particular concern. ISMS audits at multi-site organizations including multinationals and ‘group’ structures, where comparisons between the ISMSs in operation within individual business units can help share and promote good practices Auditing business partners' ISMSs, emphasizing the value of ISO/IEC 27001 certification as a means of gaining a level of confidence in the status of their ISMSs without necessarily having to do the audit work Developing an internal program for auditing the ISMS. From an IRCA point of view you develop an Audit Plan when preparing to audit an organization. This plan is derived from the "Scope of Registration" document that an individual fills out when requesting a certification audit from a registrar. Besides the scope of registration the domain definition will also feed the audit plan. 4
  • 5. The activities performed by a network auditor as per the Information Security Management Systems (ISMS) standards is as below : Fig-1: Audi Activi ties of Networks The following checklist is common. It reflects and refers to ISO/IEC 27001's requirements for Information Security Management Systems without regard to any specific ISMS requirements that an individual organization might have (for example if they are subject to legal, regulatory or contractual obligations to implement particular information security controls). The checklist is primarily intended to guide, or to be adapted and used by, competent auditors including those working for internal audit functions, external audit bodies and ISMS certification bodies. It can also be used for internal management reviews of the ISMS including pre-certification checks to determine whether the ISMS is in a fit state to be formally audited. Finally, it serves as a general guide to the likely depth and breadth of coverage in ISMS certification audits, helping the organization to prepare the necessary records and information (identified in bold below) that the auditors will probably want to review. The audit tests noted below are intended as prompts or reminders of the main aspects to be checked by competent, qualified and experienced IT auditors. They do not cover every single aspect of ISO/IEC 27001. They are not meant to be asked verbatim or checked-off piecemeal. They are not suitable for use by inexperienced auditors working without supervision. 5
  • 6. Chapter 2 2. Technique description 2.1 Sahi Architecture: The architecture of Sahi allows Sahi to be used on any browser or operating system. Sahi relies on two core technologies/concepts: 1. HTTP proxy – to inject code 2. Javascript code – to find elements and emulate actions Both these technologies are basic building blocks of internet technologies and will necessarily be supported by all browsers, making Sahi very easily extensible to newer browsers or newer versions of browsers. Sahi uses a HTTP proxy at its core to inject javascript into web pages. The injected Javascript uses custom code to identify elements on the browser and simulate actions like click, type etc. on them. Fig-2: Java based proxy server injects java scripts code Html responses which pass through the proxy are modified such that JavaScript is injected at the start and the end of the response. This allows the browser to record and playback scripts and talk back to the proxy when needed. Apart from handling requests for pages that the browser requests, Sahi’s proxy also handles custom commands related to recording, playback etc. which the browser sends. 6
  • 7. Chapter 3 3. Description of the tool used for simulation 3.1 Getting Started 3.2 Prerequisites Java 1.5 or above is needed for running Sahi. 3.3 Download Sahi OS Download Sahi OS from http://sahi.co.in 3.4 Installation of Sahi Once Sahi is downloaded, double click on the jar file to run the installer. Fig-3: Sahi dashboard 3.5 Starting Sahi Start Sahi Dashboard by any of the following methods: 1) Double click on the desktop shortcut 2) Go to Start -> All Programs -> Sahi -> Start Sahi 3) Start from the command line. Windows: – Go to <Sahi>userdatabin and run start_dashboard.bat The Sahi Dashboard starts the Sahi proxy, and allows launching of different browsers. Sahi automatically modifies the browser’s proxy settings, so that requests go through the Sahi Proxy (localhost:9999) 7
  • 8. Chapter 4 4. Experiments and Results 4.1 Recording through Sahi Click on any browser on the Dashboard. A browser window should open with the following screen Fig-4: Sahi controller Press ALT and double click on the window which you want to record. The Sahi Controller will pop up. (If that does not work, press CTRL and ALT keys together and then double click. Make sure popup blockers are turned off) On the controller, go to the Record tab. Give a name for the script, and click ‘Record’. (.sah is optional) Navigate on your website like you normally would. Most actions on the page will now get recorded. Add an assertion: i) Move the mouse over any html element while pressing Ctrl key. The Accessor field will get populated in the controller. ii) Click the “Assert” button to generate assertions for the element. They will appear in the “Evaluate Expression” box. iii) Click “Test —>” to check that the assertions are true. You can evaluate any javascript using “Evaluate Expression” and “Test —>”. Actions performed via the controller will not be automatically recorded. Only actions performed directly on the page are automatically recorded. This lets you experiment on the webpage at recording time without impacting the script. iv) Once satisfied, click on “Append to Script”. This will add the assertions to the script. v) Click “Stop” to finish recording. 8
  • 9. Fig-5: Sahi recording Note that the controller can be closed and reopened at any time, without disrupting recording. The recorded script is stored in <sahi_pro>userdatascripts directory. The recorded script can be viewed and edited easily through any text editor. Sahi Scripts are simple text files which use Javascript syntax. The script can be edited even while recording, so that logical segregation into functions etc. can be done as recording happens. 4.2 Playing back through Sahi Running a test from the controller Open the Sahi controller (ALT-Dbl click on the page). Click on “Playback” tab Enter the script name in the “File:” field (with the help of the auto completion feature) Enter the start URL of the test. Eg. If you had started recording from http://sahi.co.in/demo/training/, use that URL. Click ‘Set’. Click ‘Play’. Steps will start executing, and the controller will be updated accordingly. Once finished, SUCCESS or FAILURE will be displayed at the end of the steps. 4.3 View Logs On the controller, go to Playback tab and click on “View Logs” link at the bottom right. It will open a window with the results neatly formatted in HTML. Clicking on a line in the logs will drill down to exact line in script. Logs show all the assertion in green. If the assertion has failed it will show in red. You can click on any of these lines to go into the line of script to debug. 9
  • 10. Chapter 5 5. Problem extended for dissertation Small, medium business enterprises have financial constrained and for them is it difficult to pay lots of money to auditor. And there are many Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general public security requirements impel them to devote the utmost attention and priority to information security risks. If a service is not tested then there will be no information about its security or insecurity. A security auditing is unlikely to provide information about new vulnerabilities, especially those discovered after the test is carried out. Vulnerability assessments that include careful diagnostic reviews of all servers and network devices will definitely identify more issues faster than a "black box" test. The chief objective of work is to do pre auditing in order to minimize the cost of auditing, time of auditing in Small, medium business enterprises. 10
  • 11. Chapter 6 6. Timeline Chart of work done and work to be completed i) Testing of web application, records, and playbacks has been completed. ii) Survey of network auditing tools available and their efficiency vis-a-vis each other has been completed. iii) Study of ISMS standards for network auditing has been completed. iv) Performance of network audit tools has to be checked. v) Integration and assimilation of tools has to be done for the selected SMB vi) Cost effective report of the environment developed has to be made. 11
  • 12. References [1] Ramy K. Khalil, Fayez W. Zaki , Mohamed M. Ashour, and Mohamed A. Mohamed, “A study of network security systems,” IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.6, June 2010, pp. 204–212. [2] Mr. V. K. Pachghare and Dr. Parag kulkarni, “Network security based on pattern matching: an overview,” IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.10, October 2008, pp. 314–318. [3] Kapil Kumar Gupta, Baikunth Nath (Sr. Member IEEE) and Kotagiri Ramamohanarao, “Network security framework,” IJCSNS International Journal of Computer Science and Network Security, VOL. 6 No.7B, July 2006, pp. 151–157. [4] Kulvinder Singh, Rakesh Kumar and Iqbal Kaur, “Testing web based applications using finite state machines employing genetic algorithm,” Faculty of Computer Science & Engineering, published in International Journal of Engineering Science and Technology, Vol. 2(12), 6931-6941, 2010. [5] Hazlifah Mohd Rusli, Suhaimi Ibrahim and Mazidah Puteh, “Testing web services composition: a mapping study,” IBIMA Publishing, Communications of the IBIMA, Article ID 598357, Vol. 2, 12 pages, 2011. [6] Mohd. Ehmer Khan, “Different forms of software testing techniques for finding errors,” Department of Information Technology, Al Musanna College of Technology, Sultanate of Oman, IJCSI International Journal of Computer Science Issues, Vol. 7, Issue 3, No 1, May 2010. [7] Los Alamitos, CA: IEEE Computer Society Press, “IEEE Standard Glossary of Software Engineering Terminology,” IEEE Std 610.12- 28 sep 1990. [8] Young Gun Jang, Hoon Il Choi and Chan Kon Park, “Implementation of home network security system based on remote management server,” IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.2, February 2007, pp. 267–274. [9] W Makasiranondh, S P Maj and D Veal, “An integrated multimedia based platform for teaching network security,” IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.12, December 2010 [10] Igor Kotenko and Mikhail Stepashkin, “Analyzing network security using malefactor action graphs,” IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.6, June 2006, pp. 226–235. 12