A Methodological Tool for Asset Identification in Web Applications: Security Risk Assessment

Abstract

Security risk assessment in Web Engineering is an emerging discipline, where security is given a special attention, allowing software engineers to develop high quality and secure Web based applications. A preliminary study revealed that asset identification (and evaluation) is an essential phase in risk assessment practices. This phase represents a degree of complexity and is the primary activity in the assessment process. This work focuses on asset identification and contributes to security risk assessment, which is essential part of software security. Specifically, the research goal is to design a methodological tool (instrument) for asset identification in web applications for the purpose of risk assessment. The proposed tool helps identify assets with security risks in Web applications. The tool involves direct observations and survey questionnaires as data collection techniques used for this work. The research methodology is based on qualitative and quantitative analysis of a case study that focused on Web based application for student opinion survey coordination (EOE) developed in Simoacuten Boliacutevar University, Venezuela. The data analysis required the use of cross case analysis supported by the software application MAXQDA2007, which helps identify assets according to categories, such as environment, software, hardware, information and networks. Under this work, students, faculty, staff, and software developers at Simoacuten Boliacutevar University have participated in this study.