Security Assurance of REST API based applications

Abstract

Security assurance is the confidence that a system meets its security requirements, based on specific evidences that an assurance technique provide. In this thesis, I have proposed a quantification method which aims to develop security assurance profiles by measuring the level of security of a REST API. The notion of measuring security is complex and tricky, existing approaches are often based on manual review and time consuming tasks. In addition, there is little research work done on quantification of security assurance for REST APIs.

A common perspective has been to focus on the vulnerabilities of a system while security testing. However, security requirements are not tend to get enough attention during a security test. The main approach of this thesis was to look at both requirements and vulnerabilities to accomplish a level of security assurance. Appropriate metrics were defined to reflect the \textit{requirement fulfillment} and the \textit{vulnerability presence}. The requirements were declared to be fulfilled if their associated security mechanisms were present. Vulnerabilities were on the other hand sorted into their relevant categories and assigned a risk score. The security assurance metric was defined as an equation where the vulnerability metric was subtracted from the requirement metric.

The case studies were carried out at Statistics Norway, where the author is employed. Analyzes showed that the API with the most security mechanisms implemented got a slightly higher security assurance score. This was due to the fact that the vulnerabilities were considered more harmful in one of the cases as the security objectives diverged.

The proposed quantification method can be re-used on any other domain, by altering the lists of requirements and vulnerabilities.