Evaluating the security levels of the Web-Portals based on the standard ISO/IEC 15408

Abstract

Evaluating the security level of the Web-Portal is an urgent need, but it is not yet paid enough attention. A quantitative method is a key factor in analyzing security level evaluation. The formal model of the standard ISO/IEC 15408 and some other security standards cannot be directly applied to Web-Portals due to the generality and the abstraction of the model. The prestigious model of OWASP (Open Web Application Security Project) provides many best practices for Web application, but it is sill not enough for a quantitative evaluation and it is hardly applicable to compare the security level of different Web applications. This paper proposes a model and a quantitative method for evaluating the security levels of the Web-Portals based on the standard ISO/IEC 15408, which is highly feasible in the practice.