< Back to previous page
Publication
Empirical Study on the Use of Client-side Web Security Mechanisms
Book - Dissertation
Nowadays, no one disputes the fact that the web has become an essential part of our society. More and more organizations and individuals are relying on the web for almost all kinds of activities. Naturally, the rising importance of the web attracts an increasing number of web attacks. As the web (and the attacks) keep on expanding, it is important for website operators to ensure the security of their web applications. To defend against a rising number of web attacks, one basic yet important step is to adopt various known defense mechanisms that have been developed by the security community. In this dissertation, we assess the security of websites from the adoption perspective of these client-side defense mechanisms. Client-side security mechanisms are configured and controled by web servers, and they help websites to reduce their client-side attack surface. As such, the presence of these mechanisms on a website might be used as an external indicator of the security awareness and practices of the website owner. Firstly, we discuss the eight most-important client-side defense mechanisms that are used as metrics to design a web scoring system to measure the security of web applications. Secondly, we propose an efficient crawling approach for large-scale web assessments to measure the adoption of these mechanisms. We then use this crawling approach to investigate mixed-content inclusion weaknesses, to conduct a security assessment for the Chinese Web, and to perform a longitudinal assessment on the adoption of client-side security mechanisms on the European Web. By quantifying a website's security level as a web security score, we can compare the security maturity of websites per country, sector and popularity. Lastly, we explore the relationship between a company's cybercrime cost and the adoption of defense mechanisms on its website. Our correlational analysis shows that companies with better security defense tend to have less business loss caused by web attacks.
Publication year:2018
Accessibility:Open