An Ontological Approach to Mitigate Risk in Web Applications

Abstract

Information Security (InfoSec) is becoming a high priority asset to support business activities, as organizations struggle to assure that data is available and secure in web applications. However, security is not a concern from the beginning of the development process, mainly because developers are not security specialists. Consequently, vulnerable systems are designed and when attacked can compromise organization's data and operations, enclosing high financial losses. Because most attacks targets the application layer, we propose an intelligent approach based on ontology to mitigate risks in web applications. An ontological approach can contribute to InfoSec knowledge dissemination and reduce the burden of implementing secure web applications on organizations. The ontology is based on the OWASP Top 10 Project, applied to reduce the gap between the application developer and the security knowledge. The proposed model is employed in the development's design phase; with more secure web applications as the outcome. The extensible and reusable developed ontology is evaluated in a prototype scenario of a web application named 'SMS Broadcast'. The results show that vulnerabilities can be reduced by increasing the security awareness of web developers during the application development process.