Serviceeinschränkungen vom 12.-22.02.2026 - weitere Infos auf der UB-Homepage
  • Knowledge Base Model for Secur...

Treffer: Knowledge Base Model for Security Audits inWeb Services with SQL Injection ; Modelo base de conocimiento para auditorías de seguridad en servicios web con inyección SQL

Title:
Knowledge Base Model for Security Audits inWeb Services with SQL Injection ; Modelo base de conocimiento para auditorías de seguridad en servicios web con inyección SQL
Authors:
Moreno Marín, John Edison, Coronado Sánchez, Paulo Cesar
Source:
Ingeniería; Vol. 25 No. 3 (2020): September - December; 264-283 ; Ingeniería; Vol. 25 Núm. 3 (2020): Septiembre - Diciembre; 264-283 ; 2344-8393 ; 0121-750X
Publisher Information:
Universidad Distrital Francisco José de Caldas
Publication Year:
2020
Collection:
Universidad Distrital de la ciudad de Bogotá: Open Journal Systems
Subject Terms:
Modelo de información, seguridad de la información, seguridad informática, servicios web, auditoría de aplicaciones web, inyección SQL, base de conocimiento, ontologías, taxonomías, Information model, information security, computer security, web services, web application auditing, SQL Injection, knowledge base, ontologies, taxonomies
Document Type:
Fachzeitschrift article in journal/newspaper
File Description:
text/xml; application/pdf
Language:
Spanish; Castilian
Relation:
https://revistas.udistrital.edu.co/index.php/reving/article/view/15740/17270; https://revistas.udistrital.edu.co/index.php/reving/article/view/15740/16078; A. Au y W. Fung, “Knowledge Audit Model for Information Security”, en 8th International Conference on Innovation and Knowledge Management in Asia Pacific, Kobe, octubre 2016.; J. L. Contreras, “Propuesta de auditoría a las aplicaciones web de la empresa C&M consultores aplicando herramientas de software libre”, trabajo de grado, Universidad Nacional Abierta y a Distancia, 2017.; S. Coronado, “Desarrollo de una guía metodológica basada en análisis SQL injection y formas de protección a las bases de datos”, trabajo de grado, Pontificia Universidad Católica del Ecuador, Quito, 2017.; A. Sadeghian, M. Zamani y A. A. Manaf. “A Taxonomy of SQL Injection Detection and Prevention Techniques”, en Informatics and Creative Multimedia (ICICM), Kuala Lumpur, septiembre 2013. doi: https://doi.org/10.1109/ICICM.2013.18; A. Sadeghian, M. Zamani, S. M. Abdullah, “A taxonomy of SQL Injection Attacks”, en International Conference on Informatics and Creative Multimedia, Kuala Lumpur, septiembre 2013.; M. Rodríguez, “Auditoría de aplicaciones web: metodología y práctica profesional”. [En línea]. Disponible en: http://openaccess.uoc.edu/webapps/o2/bitstream/10609/40153/7/mrodriguezsanchez1TFC0115memoria.pdf; G. Méndez y L. Álvarez, “Metodología para la construcción de la base de conocimiento de un sistema experto”, Revista Ingeniería, vol. 8, n.° 2, pp. 12-18, 2003. https://doi.org/10.14483/23448393.2686; E. A. Varela, D. Estrada y L. Acosta. “Wiki, herramienta informática para la base de conocimiento para el proyecto PROMEINFO de la Universidad de Guayaquil”, Dominio de las Ciencias Sociales, vol. 3, n.° 3, pp. 702-727, 2017. http://dx.doi.org/10.23857/dc.v3i3.502; Ministerio de las TIC [MinTIC]. “Modelo de seguridad y privacidad de la Información y Guía de auditoría de Seguridad y privacidad de la información”, [En línea]. Disponible en: https://www.mintic.gov.co/gestionti/615/articles-5482_Modelo_de_Seguridad_Privacidad.pdf; D. Guaman, F. Guaman, D. Jaramillo y M. Sucunuta, “Implementation of techniques and OWASP security recommendations to avoid SQL and XSS attacks using J2EE and WS-security”, en 12th Iberian Conference on Information Systems and Technologies (CISTI), Lisbon, junio 2017.; ISO/IEC 27000, “Information technology - Security techniques - Information security management systems - Overview and vocabulary”. [En línea]. Disponible en: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en; J. Singh, “Analysis of SQL Injection Detection Techniques”, Theoretical and Applied Informatics, vol. 28, n.° 1-2, 2016.; IBM Corporation. “X-Force IRIS Data Breach Report”. [En línea]. Disponible en: https://www.ibm.com/security/resources/xforce/xfisi/ , 2019.; OpenKM, "Diagram of the system architecture". [En línea]. Disponible en: https://www.openkm.com/en/architecture.html; M. Shaw y D. Garlan, “Software Architecture: Perspectives on an emerging discipline”. Upper Saddle River: Prentice Hall, 1996.; T. Gunawan, M. Lim, M. Kartiwi, N. Malik y N. Ismail, “Penetration testing using Kali linux: SQL injection, XSS, wordpress, and WPA2 attacks”, Gunawan, vol. 12, n.° 2. https://doi.org/10.11591/ijeecs.v12.i2.pp729-737; X. Liu, Q. Yu, X. Zhou y Q. Zhou, “OwlEye: An Advanced Detection System of Web Attacks Based on HMM”, IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, Atenas, agosto 2018.; https://revistas.udistrital.edu.co/index.php/reving/article/view/15740
Availability:
https://revistas.udistrital.edu.co/index.php/reving/article/view/15740
Rights:
Derechos de autor 2020 John Edison Moreno Marín, Paulo Cesar Coronado Sánchez ; https://creativecommons.org/licenses/by-nc-sa/4.0
Accession Number:
edsbas.95D8FEB5
Database:
BASE

Weitere Informationen

Context: Due to the large number of cyber-attacks at international and national levels (Colombia), preventive mechanisms and procedures have been triggered by organizations in order to counteract vulnerabilities in information security. The issue studied by this project arises from the need to make a proposal to the DIAN information security office to implement and follow up on the MinTIC Online Government Strategy in the Information Security and Privacy component, through the institutional information security policy and through this knowledge base model for audits in web services, applied to a particular prototype. Method: The general methodology for the knowledge base model the first corresponds to the collection, processing, and purification of the base, and the second corresponds to the systematization process of the proposed model. OpenKM (an open software) was implemented to support the knowledge base. For the development of the audit, it is important to keep in mind that, within the general methodology, a series of guides were included in each of the phases of the model. The project uses standards, good practices, tools, and professional advice such as ISO27000, OSSTMM, OWASP, JUnit, and the Risk Management and Audit guides issued by MinTIC. For the development of the prototype with the presented WS, the OPENUP method was used. The implementation was limited to the construction of two HTTP methods: GET and POST for consultation and information entry actions. Results: With this project, it was possible to create a knowledge base model implemented on OpenKM, executing a web services security audit with SQL Injection on an organizational prototype. Conclusions: It must be taken into account that there will never be a 100% secure infrastructure, since there will always be risks on the platforms due to the changing nature of the attacks. However, there will always be alternatives such as this base model of information security auditing to avoid or mitigate such risks or attacks. ; Contexto: Debido a la gran ...