An approach for benchmarking the security of web service frameworks

Abstract

Web services are a popular technology for deploying applications on the Web. They are supported by frameworks, the middleware that handles most communication aspects. Security in the Web is a key concern as the exposure to attacks is high and may result in catastrophic consequences for the deployed services. Selecting the most secure framework is challenging, especially considering their diversity and the complexity involved in any security assessment. This paper is an initial contribution aiming at the definition of a security benchmark for assessing and comparing the security of web service frameworks. The proposed benchmark is based on two phases: Security Qualification and Trustworthiness Assessment. In the first phase, state-of-the-art techniques are used to detect vulnerabilities in the frameworks. If vulnerabilities are found, the framework is disqualified. In the second phase, the qualified frameworks are analyzed for evidences of potentially unsecure aspects, being the observed behavior used to compute a score using the Logic Score of Preferences technique. Such score allows comparing frameworks from a trustworthiness perspective. We applied our approach for the case of DoS Attacks and benchmarked ten frameworks. Results show that six frameworks fail in qualifying for the second phase and that the remaining ones can be ranked using the computed score, allowing developers to make informed decisions about their deployments.