Enhancing the security measures for web based application / Herman Md Tahir

Security measures for a web based application can vary depending on organization objectives. An international standard is a good baseline or reference for measuring the security level of a web based application. The ISO/IEC 9126-1 defined the quality model for software product, consisting of characteristics namely Functionality, Reliability, Usability, Efficiency, Maintainability and Portability and its' sub characteristics. Security on the other hand is identified as one of the sub characteristic of Functionality. The ISO/IEC TR 9126-2 further explained the quality model of ISO/IEC 9126-1 by defining the measures or metrics for the sub characteristics. However, the existing ISO/IEC TR 9126-2 that was last revised in 2003 is limited in term of exposure to the latest IT and SE technology. It is also reported to be having certain weaknesses (Rafa A, 2009). Furthermore the standard defines general measures or metrics which can be applied to any type of product. Rightfully, a different type of application requires more specific security measures than the existing ones in the standard. Industry guidelines such as the Open Web Application Security Project (OWASP) and the Information Security Management Systems (ISMS) are another source to identify the security measures. This research is aimed at studying the current practice for measuring the security of a web based application and eventually proposes additional Security measures for web based application based on collective industry best practices, practitioners experience and input and expert opinions. Based on content analysis and interviews conducted on experts, summarized in this report is the proposed additional security measures or metrics for web based application.