A Vulnerability Taxonomy Methodology applied to Web Services

We present a methodology for taxonifying vulnerabilities based on the likelihood that they will be present in a certain system. It attempts to capture and formalize the intuition that allows security professionals to make predictions about likely security problems. The method exploits the realization that the vulnerabilities present in a system are related to the set of properties that de ne the system. By modeling it using a selection of relevant properties and correlating this with the body of knowledge on historic vulnerabilities and the systems in which they lived, we obtain a heuristic of the likelihood that these vulnerabilities will reappear in a new system. The predictive nature of this methodology serves as an early warning for systems before they are widely deployed. As an example we apply our methodology to Web Services, thereby providing a tool to focus e orts in securing Web Services.

By: Chris Vanden Berghe; James Riordan; Frank Piessens

Published in: Tartu, Estonia in 2005

LIMITED DISTRIBUTION NOTICE:

This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.

rz3630.pdf

Questions about this service can be mailed to reports@us.ibm.com .