Main Page

From VulneraPedia

Welcome to VulneraPedia: The Semantic Wiki of the VulneraNET Project
About VulneraNET About VulneraPedia	Vulnerabilities	Attacks	Control	Threat Agents	Assets

Contents 1 VulneraPedia 1.1 Introduction 1.2 Semantic Security Management 2 VulneraPedia Version 3 VulneraNet 4 What is a vulnerability? 5 Browsers Compatibility

VulneraPedia

Ontological engineering can do an efficient management of the security data, generating security knowledge. We use a step methodology defining a main ontology in the web application security domain. Next, semantic extraction and integration processes translate unstructured data in quality security knowledge. These processes are applied to wrap the data of three web-reputed security communities: OWASP, CWE and CAPEC. A social tool (this semantic wiki) is implemented to integrate the knowledge in an accessible way. It opens the security knowledge to encourage people to collaboratively use and extend it.

Introduction

Our main objective is to improve the security that is managed in organizations, encouraging people to use security knowledge in all the application lifecycle stages and in their daily work. The use of semantic in security data generates security knowledge that improves the security processes and strategies to follow. Then, the paper describes how to manage and deal with web security knowledge using ontology engineering.

Rich, full security knowledge repositories would reduce the mistakes and the lacks and necessities of knowledge. However, there is a lack of open security knowledge repositories and in general the few security existent semantic data are very diffuse. However there are large amounts of non-semantic security data stored in several, disparate communities.

This wealth of information is difficult to exploit. A powerful integration of available security information needs an efficient semantic content retrieval and a knowledge management system to wrap the extracted data. Semantic Web prove to be well suited for knowledge management such as integration, production, querying and maintenance . From ontological engineering, we use a simple methodology to define a main ontology focused in web application security domain. This unified model is the key to carry out the management processes. We extend it to provide a rich security knowledge base to facilitate the security processes. It requires extraction from heterogeneous communities. The knowledge extraction and its integration try to check the viability of using ontologies under security knowledge.

People must interact with the knowledge to achieve the security objectives and should extend the contents with their own knowledge. So knowledge should be shared in a visible and accessible way. Therefore, we propose a tool that wraps the security knowledge management. The tool opens the contents so that users can apply more effectively the security. Security is an area in constant movement. So the extension of the knowledge base is a real need. However, annotation of security data is time-consuming and requires expert curators. The underlying ontology formalizes and manages new knowledge and the open tool encourages security experts and end-users to collaboratively add and interact with the semantic security contents.

Semantic Security Management

The no-existence of a common model definition to build well-suited security knowledge is a great problem. Focusing in our web application security domain, we need an ontology that is adjusted to this area. This security ontology allows to carry out the management processes. The model defines the semantic base, a set of well-structured general concepts. After that, we can wait for users to extend the ontology themselves with their learnt security knowledge. However, a knowledge base without initial security contents has great disadvantages for users:

• Slow addition of knowledge: few people use the ontology because it does not contain specific contents.
• An empty knowledge base discourages to users to add knowledge.
• To allow that not-expert users can build the initial security data of the ontology is a mistake.

Therefore, we have to extend the ontology with specific security contents. This addition also contributes to research in two goals. The first is to check the ontology can manage these security contents and all the processes involved, integrating them in a compact security knowledge base. The latter is to try to mitigate the existent lack of open security knowledge with the generated knowledge base.

To carry out the goals commented, we follow a simple step methodology (see Figure 1) that provides a set of tasks:

• General model. It provides a starting point where the main concepts and their general relationships are defined. Thanks to it, we can do a better search and selection of relevant security communities.
• Full abstraction: the main ontology is defined, extending the general definition. It provides the abstract elements and their possible connections that are used or derived by the security data.
• Data extension: security contents of the communities selected are integrated in the knowledge base. Security data are wrapped as security knowledge through semantic annotations, using the main ontology.

General model serves as semantic base to define the model focused in the web application security. All next security knowledge should be properly added and integrated in this model so we put special emphasis on its well-definition. Thus, we use Fenz’s ontology (Fenz and Ekelhart, 2009). It provides an excellent general (simple and intuitive) security model.

The information presented in the three selected communities is rich. However, knowledge inside them is not explicitly labeled and we must do an abstraction process to label them, defining the main ontology. The main ontology should cover almost all possible semantic abstractions of the security data existing in the communities. The ontology can be considered as a semantic wrapper of these communities.

After inspection and analysis of each community, we do the full abstraction process to identify, define and integrate the main concepts/abstractions and properties/links enclosed in their security data. This conceptualization process has to solve the different terminology used in each community to a proper integration. Thus, we obtain the main ontology, having extended the general model.

Moreover, we add some concepts from other ontologies. Then users can use them to apply new functionalities in a controlled structure. The connections are:

• Connection to baetle. Now, our security management opens the possibility of semantically managing and tracking bugs and enhancements in assets.
• Connection to doap. Now, the security management can link the assets to their projects, obtaining relevant semantic data from the specification of the project in the doap ontology.
• Connection to foaf. Now, the security management allows associating the provider of the security data with its foaf profile to collect semantic personal and contacts information.

The main ontology is shown in the Figure 2. It defines the semantic abstractions that will be used to annotate the security data to extract. Security data use these unified concepts as tree roots to be extended in a taxonomy way, forming hierarchical structures without divisions.

Data extension is defined by the linkify process. It translates the implicit knowledge to explicit knowledge, linking the contents generated between them. This process should identify the specific resources and associate them into class taxonomies and property values. The process must integrate all resources using the main ontology.

Our work is to linkify a greater number of security knowledge to provide a full knowledge base. Firstly, we must collect the data from the three communities. Later, we extract the enclosed knowledge following the main ontology. Finally, we integrate all resources in the knowledge base.

VulneraPedia Version

You can see the current version aspects of VulneraPedia knowledge base in Current Version Page

VulneraNet

This semantic wiki and the VulneraPedia knowledge base inside (included the underlying main ontology) have been carried out as part of the researches of the VulneraNet I+D Project.

A major objective of the project VulneraNet is to research improvements in knowledge management security consultancy through the application of social labeling techniques for processes and vulnerabilities. To carry out this research, one of the followed approachs has been defined a collaborative tool for troubleshooting, which tries to validate the use of social networks to facilitate security audit of an audit team and improve communication with development team.

Given the organizational and structural capacity of semantic technologies and easiness of creating very active and open communities (with an enormous capacity for generating and editing content) of the wikis , this line has concluded that semantic wiki concept is an ideal solution for research on the subject of study.

Wiki could be defined as a Web application concept whose pages can be edited by multiple volunteers through a browser, allowing different application users create, modify or delete information sharing. Each page of a wiki is identified by a unequivocal title. Starting that title with two brackets anywhere in the wiki will automatically create a link to the page in question, creating a global structure. With these simple rules a portal built with great organizational skills, allowing the community to share large amounts of information, debug and enrichment.

The main use of a wiki is to create and enhance the pages instantly, giving great freedom to the user through a simple interface. With one click a user can start editing a page, and with another click, save the updated page so that other users can immediately upload the changes. This causes a considerable number of users involved in editing, unlike traditional systems where it is difficult for users of the site to improve it. The administration of the wiki is also done in a very simple, for example, you can view the history of the editions of a page, looking at the differences between each change, date and user who made it, allowing changes to reverse the history along with a button click.

Besides the benefits already discussed, there is an innovative vision of the wiki concept that exploits its organizational capacity through the Semantic Web concepts, called semantic wiki. A semantic wiki comes from the implementation of a model of knowledge in the wiki concept. Semantic Wikis, unlike wiki applications provide the ability to formalize the information about data stored on its Web site and establish a hierarchy of relationships between these, so that the information contained in the application can be exported or queried as a database, using the Entity-Relationship mode.

What is a vulnerability?

A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. The term "vulnerability" is often used very loosely. However, here we need to distinguish threats (attacks) and controls (countermeasures).

Browsers Compatibility

• VulneraPedia has been deeply tested with Mozilla Firefox, versions 3.6.x. We strongly suggest to use this browser and these versions with VulneraPedia.
• You may experience some layout strange behaviors with Chrome and Safari.

---

Proyecto cofinanciado por el Ministerio de Industria, Turismo y Comercio dentro del Plan Nacional de Investigación Científica, Desarrollo e Innovación Tecnológica 2008-2011.

TSI-020302-2009-64

TSI-020100-2010-966