Web Uygulamalarında Güvenlik ve Süreç Etkinliği Kapsamında Bir Araç: DEBSA
Yıl 2020,
Cilt: 34 Sayı: 4, 1407 - 1430, 23.10.2020
Hakan Aşan
,
Yılmaz Gökşen
Öz
İnternet kullanımının yaygınlaşması hem bireysel anlamda hem de organizasyonlar açısından web uygulamalarının kullanımını arttırmıştır. Buna bağlı olarak gönderilen, alınan, saklanan ve analiz edilen veri hacminde önemli bir artış olmuştur. Web uygulamalarındaki bu bilgiye sahip olmak için web uygulamalarına yapılan saldırılar ise her geçen gün artmaktadır. Kişiler veya kurumlar web uygulamalarına yapılan bu saldırıları önlemek amacıyla güvenlik önlemlerine gereksinim duymaktadırlar. Web uygulamalarının geliştirilmesi aşamasında ne kadar önlem alınırsa alınsın bazı güvenlik açıkları kaçınılmazdır. Bu nedenle geliştirme aşamasında alınacak önlemlerin yanında, web uygulamalarının sürekli kontrol ve denetim altında tutulması gerekmektedir. Web uygulamalarını test etmek için birçok yazılım geliştirilmiştir. Ancak bu testlerin gerçekleşmesi kadar web uygulamalarının güvenliğinin sürekliliğinin de sağlanması gerekmektedir. Web uygulamalarının sürekli olarak kontrolünün bireysel olarak yapılması neredeyse imkânsızdır. Bu kontrollerin testi gerçekleştiren yazılım tarafından planlanması sürekliliği sağlayacaktır.
Bu çalışmanın genel amacı web uygulamalarının güvenliğini denetim altına alacak bir süreç modeli geliştirmektir. Bu anlamda web uygulamalarını test eden ve bunu süreçler haline getirebilen bir yazılım geliştirilmiştir. Geliştirilen yazılım, web uygulamaları üzerindeki güvenlik açıklarını bulan testleri gerçekleştirmektedir. Ayrıca bu yazılım, üzerinde bulunan süreç yönetimi bölümü ile bu testlerin planlanmasını ve kontrolden sorumlu kişilerin otomatik olarak bilgilendirilmesini sağlamaktadır.
Kaynakça
- Acunetix, 2019, Acunetix Web Application Vulnerability Report 2019,
https://cdn2.hubspot.net/hubfs/4595665/Acunetix_web_application_vulnerability_report_2019.pdf, Web Erişim Tarihi: 17.03.2020
- BBC, 2019, Equifax to pay up to $700m to settle data breach, https://www.bbc.com/news/technology-49070596, Web Erişim Tarihi: 04.03.2020
- Calder, A. ve Watkins, S. (2008), IT Governance A Manager’s Guide to Data Security and ISO27001/ISO 27002, 4th Edition. London: Kogan Page Ltd.
- Canbek, G. ve Sağıroğlu, Ş. (2006), Bilgi, Bilgi Güvenliği ve Süreçleri Üzerine Bir İnceleme. Politeknik Dergisi. 9(3): 165-174.
- Meyer D., (2018), A Cyber Gang Stole $1 Billion by Hacking Banks and ATMs. Now Police Say They’ve Caught the Mastermind, https://fortune.com/2018/03/26/carbanak-europol-arrest-spain-malware-banks/, Web Erişim Tarihi: 29.03.2020
- Fruhlinger J., (2020), Marriott Hacking Exposes Data of Up to 500 Million Guests, https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html, Web Erişim Tarihi: 19.05.2020
- Fussell, R.S. (2005), Protecting Information Security Availability via Self-adapting Intelligent Agents. Military Communications Conference, IEEE.
- Gonzales, J. J. ve Sawicka, A. (2002), A Framework for Human Factors in Information Security. International Conference On Information Security. Rio de Janerio. ss. 449 – 454.
- Gordeychik S. (2016), Web Application Security Statistics ( http://www.webappsec.org/projects/statistics, Erişim Tarihi: 11.05.2016).
- Gutzmer, I., (2017), Equifax Announces Cybersecurity Incident Involving Consumer Information, https://investor.equifax.com/news-and-events/press-releases/2017/09-07-2017-213000628, Web Erişim Tarihi: 06.04.2020
ISO/IEC 17799:2005, (2005), Information Technology - Code of Practice Security Mnagemant,ISO Copyright Office, Switzerland.
- IBM Security, (2019), Veri İhlali Maliyeti Raporu, https://www.all-about-security.de/fileadmin/micropages/Fachartikel_28/2019_Cost_of_a_Data_Breach_Report_final.pdf, Web Erişim Tarihi: 08.05.2020
- Inamdar N., (2018), 15,000 transactions in 7 hrs: Cosmos Bank’s server hacked, Rs 94 cr moved to Hong Kong, https://www.hindustantimes.com/india-news/15-000-transactions-in-7-hrs-cosmos-bank-s-server-hacked-rs-94-cr-moved-to-hong-kong/story-wazUXZs3LRhcbPLg7LYx5O.html, Web Erişim Tarihi: 24.04.2020
- Kajava J., Anttila J., Varonen R., Savola R., ve Roning J. (2006), Information Security Standards and Global Business. IEEE. pp. 2091-2095.
- Lehtinen, R. (2006), Computer Security Basics, 2nd Edition. ABD: O’Reillly Publishing.
- Lau L., (2018), Cybercrime ‘pandemic’ may have cost the world $600 billion last year, https://www.cnbc.com/2018/02/22/cybercrime-pandemic-may-have-cost-the-world-600-billion-last-year.html#:~:text=Cybercrime%20'pandemic'%20may%20have%20cost%20the%20world%20%24600%20billion%20last%20year,-Published%20Thu%2C%20Feb&text=The%20global%20cost%20of%20cybercrime,according%20to%20a%20new%20report., Web Erişim Tarihi: 18.01.2020
- Negash, S., Ryan, T. ve Igbaria, M. (2003), Quality and Effectiveness In Web-Based Customer Support Systems. Journal of Information and Management. 40: 757-768.
- McMillan, R., (2016), FriendFinder Investigates Report of Breached Accounts, https://www.wsj.com/articles/friendfinder-investigates-report-of-breached-accounts-1479160660, Web Erişim Tarihi: 02.04.2020
- Moore S., Keen E., Gartner (2019), Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019. https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019, Web Erişim Tarihi: 04.04.2020
- OWASP. (2018), OWASP Top 10. 2017. (https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf ).
Önel, D. ve Dinçkan, A. (2007), Bilgi Güvenliği Yönetim Sistemi Kurumu, Ulusal Bilgi Güvenliği Kapısı.
- Osborne C., (2020), Most companies take over six months to detect data breaches, https://www.zdnet.com/article/businesses-take-over-six-months-to-detect-data-breaches/, Web Erişim Tarihi: 02.01.2020
- Özavcı, F. (2002), Bilgi Güvenliği Temel Kavramlar. http://www.siyahsapka.com.
- Perlroth N., (2020), All 3 Billion Yahoo Accounts Were Affected by 2013 Attack, https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html#:~:text=It%20was%20the%20biggest%20known%20breach%20of%20a%20company's%20computer%20network.&text=Verizon%20Communications%2C%20which%20acquired%20Yahoo,billion%20of%20Yahoo's%20user%20accounts., Web Erişim Tarihi: 08.03.2020
- Pfleeger, C. P. (2007), Security in Computing, 4th edition. Prentice Hall, USA.
Risk Based Security, (2020), 2019 Year End Report, https://pages.riskbasedsecurity.com/2019-year-end-data-breach-quickview-report
- Roberts J. J. ve Lashinsky A., (2017), Hacked: How Business Is Fighting Back Against the Explosion in Cybercrime, https://fortune.com/2017/06/22/cybersecurity-business-fights-back/, Web Erişim Tarihi: 18.03.2020
- Saatçi, A. (2002), Bilgisayar İşletim Sistemleri, 2. Baskı. Bıçaklar Kitapevi Yayınları, Ankara.
- Smith, S., (2019). Cybercrıme Will Cost Busınesses Over $2 Trillion By 2019, https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion-by-2019, Web Erişim Tarihi: 08.03.2020
- Sobers, R., (2020), 64% of Americans Don’t Know What to Do After a Data Breach — Do You?, https://www.varonis.com/blog/data-breach-literacy-survey/, Web Erişim Tarihi: 01.5.2020
- Steve, G.W. (2008), An Introduction to Information Security and ISO/IEC 27001. IT Governance Publishing.
- TSE. TS ISO/IEC 27001. (2006), Türk Standartları Enstitüsü, Ankara, Türkiye.
- Tudor, J.K. (2001), Information Security Architecture. CRC Press, Florida.
- Türkiye Bilişim Derneği. (2006), Bilişim Sistemleri Güvenliği El Kitabı.
- UNCTAD, (2005), Information Economy Report 2005. Geneva: UNCTAD.
- Under Armour, (2018), Under Armour Notifies MyFitnessPal Users Of Data Security Issue, https://www.prnewswire.com/news-releases/under-armour-notifies-myfitnesspal-users-of-data-security-issue-300621986.html, Web Erişim Tarihi: 07.06.2020
Development on Focus of Security and Process Effectiveness for Web Applications: DEBSA
Yıl 2020,
Cilt: 34 Sayı: 4, 1407 - 1430, 23.10.2020
Hakan Aşan
,
Yılmaz Gökşen
Öz
The spread of internet usage has been increased the usage of web applications with regards to both individuals and organizations. Attacks on web applications are increasing day by day in order to have this knowledge in web applications. Some security measures are needed to prevent these attacks on web applications by people or organizations. During development of web applications, some security holes are inevitable although how measures are taken. Therefore, besides these measures, web applications should keep control and audit continuously. Many software has been developed to test web application. However, besides these tests, it is necessary to provide the continuity of security of web applications. Continuity of control of web applications is almost impossible on an individual basis. Planning these controls by software that performs tests, provides continuity.
The general purpose of this study is to develop a process model that will control the security of web applications. In this sense, a software has been developed that tests web applications and can turn it into processes. The developed software carries out tests that find vulnerabilities on web applications..Also, this software provides planning tests by means of process management part on it and informing people who are responsible for control automatically.
Kaynakça
- Acunetix, 2019, Acunetix Web Application Vulnerability Report 2019,
https://cdn2.hubspot.net/hubfs/4595665/Acunetix_web_application_vulnerability_report_2019.pdf, Web Erişim Tarihi: 17.03.2020
- BBC, 2019, Equifax to pay up to $700m to settle data breach, https://www.bbc.com/news/technology-49070596, Web Erişim Tarihi: 04.03.2020
- Calder, A. ve Watkins, S. (2008), IT Governance A Manager’s Guide to Data Security and ISO27001/ISO 27002, 4th Edition. London: Kogan Page Ltd.
- Canbek, G. ve Sağıroğlu, Ş. (2006), Bilgi, Bilgi Güvenliği ve Süreçleri Üzerine Bir İnceleme. Politeknik Dergisi. 9(3): 165-174.
- Meyer D., (2018), A Cyber Gang Stole $1 Billion by Hacking Banks and ATMs. Now Police Say They’ve Caught the Mastermind, https://fortune.com/2018/03/26/carbanak-europol-arrest-spain-malware-banks/, Web Erişim Tarihi: 29.03.2020
- Fruhlinger J., (2020), Marriott Hacking Exposes Data of Up to 500 Million Guests, https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html, Web Erişim Tarihi: 19.05.2020
- Fussell, R.S. (2005), Protecting Information Security Availability via Self-adapting Intelligent Agents. Military Communications Conference, IEEE.
- Gonzales, J. J. ve Sawicka, A. (2002), A Framework for Human Factors in Information Security. International Conference On Information Security. Rio de Janerio. ss. 449 – 454.
- Gordeychik S. (2016), Web Application Security Statistics ( http://www.webappsec.org/projects/statistics, Erişim Tarihi: 11.05.2016).
- Gutzmer, I., (2017), Equifax Announces Cybersecurity Incident Involving Consumer Information, https://investor.equifax.com/news-and-events/press-releases/2017/09-07-2017-213000628, Web Erişim Tarihi: 06.04.2020
ISO/IEC 17799:2005, (2005), Information Technology - Code of Practice Security Mnagemant,ISO Copyright Office, Switzerland.
- IBM Security, (2019), Veri İhlali Maliyeti Raporu, https://www.all-about-security.de/fileadmin/micropages/Fachartikel_28/2019_Cost_of_a_Data_Breach_Report_final.pdf, Web Erişim Tarihi: 08.05.2020
- Inamdar N., (2018), 15,000 transactions in 7 hrs: Cosmos Bank’s server hacked, Rs 94 cr moved to Hong Kong, https://www.hindustantimes.com/india-news/15-000-transactions-in-7-hrs-cosmos-bank-s-server-hacked-rs-94-cr-moved-to-hong-kong/story-wazUXZs3LRhcbPLg7LYx5O.html, Web Erişim Tarihi: 24.04.2020
- Kajava J., Anttila J., Varonen R., Savola R., ve Roning J. (2006), Information Security Standards and Global Business. IEEE. pp. 2091-2095.
- Lehtinen, R. (2006), Computer Security Basics, 2nd Edition. ABD: O’Reillly Publishing.
- Lau L., (2018), Cybercrime ‘pandemic’ may have cost the world $600 billion last year, https://www.cnbc.com/2018/02/22/cybercrime-pandemic-may-have-cost-the-world-600-billion-last-year.html#:~:text=Cybercrime%20'pandemic'%20may%20have%20cost%20the%20world%20%24600%20billion%20last%20year,-Published%20Thu%2C%20Feb&text=The%20global%20cost%20of%20cybercrime,according%20to%20a%20new%20report., Web Erişim Tarihi: 18.01.2020
- Negash, S., Ryan, T. ve Igbaria, M. (2003), Quality and Effectiveness In Web-Based Customer Support Systems. Journal of Information and Management. 40: 757-768.
- McMillan, R., (2016), FriendFinder Investigates Report of Breached Accounts, https://www.wsj.com/articles/friendfinder-investigates-report-of-breached-accounts-1479160660, Web Erişim Tarihi: 02.04.2020
- Moore S., Keen E., Gartner (2019), Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019. https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019, Web Erişim Tarihi: 04.04.2020
- OWASP. (2018), OWASP Top 10. 2017. (https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf ).
Önel, D. ve Dinçkan, A. (2007), Bilgi Güvenliği Yönetim Sistemi Kurumu, Ulusal Bilgi Güvenliği Kapısı.
- Osborne C., (2020), Most companies take over six months to detect data breaches, https://www.zdnet.com/article/businesses-take-over-six-months-to-detect-data-breaches/, Web Erişim Tarihi: 02.01.2020
- Özavcı, F. (2002), Bilgi Güvenliği Temel Kavramlar. http://www.siyahsapka.com.
- Perlroth N., (2020), All 3 Billion Yahoo Accounts Were Affected by 2013 Attack, https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html#:~:text=It%20was%20the%20biggest%20known%20breach%20of%20a%20company's%20computer%20network.&text=Verizon%20Communications%2C%20which%20acquired%20Yahoo,billion%20of%20Yahoo's%20user%20accounts., Web Erişim Tarihi: 08.03.2020
- Pfleeger, C. P. (2007), Security in Computing, 4th edition. Prentice Hall, USA.
Risk Based Security, (2020), 2019 Year End Report, https://pages.riskbasedsecurity.com/2019-year-end-data-breach-quickview-report
- Roberts J. J. ve Lashinsky A., (2017), Hacked: How Business Is Fighting Back Against the Explosion in Cybercrime, https://fortune.com/2017/06/22/cybersecurity-business-fights-back/, Web Erişim Tarihi: 18.03.2020
- Saatçi, A. (2002), Bilgisayar İşletim Sistemleri, 2. Baskı. Bıçaklar Kitapevi Yayınları, Ankara.
- Smith, S., (2019). Cybercrıme Will Cost Busınesses Over $2 Trillion By 2019, https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion-by-2019, Web Erişim Tarihi: 08.03.2020
- Sobers, R., (2020), 64% of Americans Don’t Know What to Do After a Data Breach — Do You?, https://www.varonis.com/blog/data-breach-literacy-survey/, Web Erişim Tarihi: 01.5.2020
- Steve, G.W. (2008), An Introduction to Information Security and ISO/IEC 27001. IT Governance Publishing.
- TSE. TS ISO/IEC 27001. (2006), Türk Standartları Enstitüsü, Ankara, Türkiye.
- Tudor, J.K. (2001), Information Security Architecture. CRC Press, Florida.
- Türkiye Bilişim Derneği. (2006), Bilişim Sistemleri Güvenliği El Kitabı.
- UNCTAD, (2005), Information Economy Report 2005. Geneva: UNCTAD.
- Under Armour, (2018), Under Armour Notifies MyFitnessPal Users Of Data Security Issue, https://www.prnewswire.com/news-releases/under-armour-notifies-myfitnesspal-users-of-data-security-issue-300621986.html, Web Erişim Tarihi: 07.06.2020