Abordagem ontológica para mitigação de riscos em aplicações web

Information Security (InfoSec) is becoming a high priority asset to support business activities, as organizations struggle to assure that data is available and secure in web applications. However, security is not a concern from the beginning of the development process, mainly because developers are not security specialists. Consequently, vulnerable systems are designed and when attacked can compromise organization’s data and operations, enclosing high financial losses. On a survey performed with more than 200 application’s developers, it was found that although they realize how important is their role in the security assurance process, the huge majority is not interested in learning security in depth to develop solutions. Because most attacks target the application layer, we propose an intelligent approach based on ontology to mitigate risks in web applications. This type of approach does not require developers to go through long time consuming courses, books or different sites about InfoSec in order to acquire the needed knowledge to produce more secure applications. An ontological approach can also contribute to InfoSec knowledge dissemination and reduce the burden of implementing secure web applications on organizations. The knowledge base to build the ontology is from three well known sources about vulnerabilities: OWASP Top 10, OWASP ASVS and CWE. They are merged and applied together to reduce the gap between the application developer and the security related information. The proposed model is employed in the development’s design phase of several real case scenarios; with more secure web applications as the outcome. The extensible and reusable developed ontology is evaluated quantitatively and qualitatively for comparison purposes. The results show that vulnerabilities can be reduced by increasing the security awareness of web developers during the application development process.