{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2023,8,9]],"date-time":"2023-08-09T22:25:26Z","timestamp":1691619926837},"reference-count":31,"publisher":"IGI Global","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2011,4,1]]},"abstract":"<p>The multiplicity of existing software and component alternatives for web applications, especially in open source communities, has boosted interest in suitable benchmarks, able to assist in the selection of candidate solutions, concerning several quality attributes. However, the huge success of performance and dependability benchmarking contrasts the small advances in security benchmarking. Traditional vulnerability\/attack detection techniques can hardly be used alone to benchmark security, as security depends on hidden vulnerabilities and subtle properties of the system and its environment. A comprehensive security benchmarking process should consist of a two-step process: elimination of flawed alternatives followed by trustworthiness benchmarking. In this paper, the authors propose a trustworthiness benchmark based on the systematic collection of evidences that can be used to select one among several web applications, from a security point-of-view. They evaluate this benchmark approach by comparing its results with an evaluation conducted by a group of security experts and programmers. Results show that the proposed benchmark provides security rankings similar to those provided by human experts. In fact, although experts may take days to gather the information and rank the alternative web applications, the benchmark consistently provides similar results in a matter of few minutes.<\/p>","DOI":"10.4018\/jdtis.2011040101","type":"journal-article","created":{"date-parts":[[2012,4,5]],"date-time":"2012-04-05T13:05:15Z","timestamp":1333631115000},"page":"1-16","source":"Crossref","is-referenced-by-count":11,"title":["Selecting Secure Web Applications Using Trustworthiness Benchmarking"],"prefix":"10.4018","volume":"2","author":[{"given":"Afonso Ara\u00fajo","family":"Neto","sequence":"first","affiliation":[{"name":"University of Coimbra, Portugal"}]},{"given":"Marco","family":"Vieira","sequence":"additional","affiliation":[{"name":"University of Coimbra, Portugal"}]}],"member":"2432","reference":[{"key":"jdtis.2011040101-0","doi-asserted-by":"crossref","unstructured":"Amirtahmasebi, K., Jalalinia, S. R., & Khadem, S. (2009). A survey of SQL injection defense mechanisms. In Proceedings of the International Conference on Internet Technology and Secured Transactions, London, UK.","DOI":"10.1109\/ICITST.2009.5402604"},{"key":"jdtis.2011040101-1","doi-asserted-by":"crossref","unstructured":"Antunes, N., & Vieira, M. (2009). Comparing the effectiveness of penetration testing and static code analysis on the detection of SQL injection vulnerabilities in Web services. In Proceedings of the 15th IEEE Pacific Rim International Symposium on Dependable Computing, Shanghai, China.","DOI":"10.1109\/PRDC.2009.54"},{"key":"jdtis.2011040101-2","doi-asserted-by":"crossref","unstructured":"Antunes, N., & Vieira, M. (2010). Benchmarking vulnerability detection tools for Web services. In Proceedings of the International Conference on Web Services, Miami, FL (pp. 203-210).","DOI":"10.1109\/ICWS.2010.76"},{"key":"jdtis.2011040101-3","doi-asserted-by":"publisher","DOI":"10.4018\/jdtis.2010040102"},{"key":"jdtis.2011040101-4","doi-asserted-by":"crossref","unstructured":"Ara\u00fajo Neto, A., Vieira, M., & Madeira, H. (2009). Untrustworthiness: a trust-based security metric. In Proceedings of the 4th International Conference on Risks and Security of Internet and Systems, Toulouse, France.","DOI":"10.1109\/CRISIS.2009.5411967"},{"key":"jdtis.2011040101-5","unstructured":"Assessing, M., & Resilience, B. (AMBER). (2010). FP7 \u2013 216295. Retrieved from http:\/\/www.amber-project.eu"},{"key":"jdtis.2011040101-6","doi-asserted-by":"crossref","unstructured":"Ayewah, N., Pugh, W., Morgenthaler, J., Penix, J., & Zhou, Y. (2007). Evaluating static analysis defect warnings on production software. In Proceedings of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, San Diego, CA (pp. 1-8).","DOI":"10.1145\/1251535.1251536"},{"key":"jdtis.2011040101-7","doi-asserted-by":"crossref","unstructured":"Barbacci, M., Ellison, R. J., Lattanze, A. J., Stafford, J. A., Weinstock, C. B., & Wood, W. G. (2003). Quality Attribute Workshops (QAWs) (3rd ed.). (Tech. Rep. No. CMU\/SEI-2003-TR-016). Pittsburgh, PA: Carnegie-Mellon University.","DOI":"10.21236\/ADA418428"},{"key":"jdtis.2011040101-8","unstructured":"Bondavalli, A. Lollini, P., Barbosa, R., Ceccarelli, A., Falai, L., Karlsson, J.,\u2026Vieira, M. (2009). D3.2: Final research roadmap, formal deliverable AMBER Project \u2013 Assessing, measuring and benchmarking resilience (IST \u2013 216295). Florence, Italy: AMBER."},{"key":"jdtis.2011040101-9","unstructured":"Criteria, C. (1999). Common criteria for information technology security evaluation: User guide. Retrieved from http:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R2.pdf"},{"key":"jdtis.2011040101-10","doi-asserted-by":"crossref","unstructured":"Crnkovic, I., Chaudron, M., & Larsson, S. (2006). Component-based development process and component lifecycle. In Proceedings of the International Conference on Software Engineering Advances, Tahiti, French Polynesia.","DOI":"10.1109\/ICSEA.2006.261300"},{"key":"jdtis.2011040101-11","year":"1985","journal-title":"Trusted computer system evaluation criteria"},{"key":"jdtis.2011040101-12","article-title":"Database and transaction processing performance handbook","author":"J.Gray","year":"1993","journal-title":"The benchmark handbook for database and transaction systems"},{"key":"jdtis.2011040101-13","unstructured":"Hibernate. (2011). Hibernate persistence framework. Retrieved from http:\/\/www.hibernate.org"},{"key":"jdtis.2011040101-14","author":"M.Howard","year":"2002","journal-title":"Writing secure code"},{"key":"jdtis.2011040101-15","unstructured":"INFOSEC Research Council. (2005). Hard problem list. Retrieved from http:\/\/www.cyber.st.dhs.gov\/docs\/IRC_Hard_Problem_List.pdf"},{"key":"jdtis.2011040101-16","doi-asserted-by":"publisher","DOI":"10.1002\/9780470370506"},{"key":"jdtis.2011040101-17","doi-asserted-by":"crossref","first-page":"211","DOI":"10.3233\/JCS-1993-22-308","article-title":"Towards operational measures of computer security.","volume":"2","author":"B.Littlewood","year":"1993","journal-title":"Journal of Computer Security"},{"key":"jdtis.2011040101-18","doi-asserted-by":"publisher","DOI":"10.1109\/32.888629"},{"key":"jdtis.2011040101-19","unstructured":"Livshits, V., & Lam, M. (2005). Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th USENIX Security Symposium, Baltimore, MD."},{"key":"jdtis.2011040101-20","author":"M.Lyu","year":"1996","journal-title":"Handbook of software reliability engineering"},{"key":"jdtis.2011040101-21","author":"D. H.McKnight","year":"1996","journal-title":"The meanings of trust (Tech. Rep.)"},{"key":"jdtis.2011040101-22","unstructured":"Open Web Application Security Project (OWASP). (2010). OWASP top 10. Retrieved from http:\/\/www.owasp.org\/index.php\/Top_10_2007"},{"key":"jdtis.2011040101-23","author":"S. C.Payne","year":"2006","journal-title":"A guide to security metrics"},{"key":"jdtis.2011040101-24","doi-asserted-by":"crossref","unstructured":"Ray, I., & Chakraborty, S. (2004). A vector model of trust for developing trustworthy systems. In Proceedings of 9th European Symposium on Research in Computer Security, Sophia-Antipolis, France.","DOI":"10.1007\/978-3-540-30108-0_16"},{"key":"jdtis.2011040101-25","unstructured":"Sandia National Laboratories. (2010). The information design assurance red team. Retrieved from http:\/\/idart.sandia.gov"},{"key":"jdtis.2011040101-26","unstructured":"Sherriff, M., & Williams, L. (2006). Defect density estimation through verification and validation. In Proceedings of the 6th Annual High Confidence Software and Systems Conference, Lithicum Heights, MD (pp. 111-117)."},{"key":"jdtis.2011040101-27","doi-asserted-by":"crossref","unstructured":"Sullivan, K., Clarke, J., & Mulcahy, B. P. (2010). Trust-terms ontology for defining security requirements and metrics. In Proceedings of the 4th European Conference on Software Architecture, Copenhagen, Denmark.","DOI":"10.1145\/1842752.1842789"},{"key":"jdtis.2011040101-28","unstructured":"Torgerson, M. (2007). Security metrics for communication systems. In Proceedings of the 12th International Command and Control Research and Technology Symposium, Newport, RI."},{"key":"jdtis.2011040101-29","doi-asserted-by":"crossref","unstructured":"Verendel, V. (2009). Quantified security is a weak hypothesis: a critical survey of results and assumptions. In Proceedings of the Workshop on New Security Paradigms, New York, NY (pp. 37-50).","DOI":"10.1145\/1719030.1719036"},{"key":"jdtis.2011040101-30","author":"S.Zanero","year":"2005","journal-title":"Automatic detection of Web application security flaws"}],"container-title":["International Journal of Dependable and Trustworthy Information Systems"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=65519","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T23:18:55Z","timestamp":1654125535000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jdtis.2011040101"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2011,4,1]]},"references-count":31,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2011,4]]}},"URL":"https:\/\/doi.org\/10.4018\/jdtis.2011040101","relation":{},"ISSN":["1947-9050","1947-9069"],"issn-type":[{"value":"1947-9050","type":"print"},{"value":"1947-9069","type":"electronic"}],"subject":[],"published":{"date-parts":[[2011,4,1]]}}}