Geri Dön

Savunma sanayi şirketlerinde web uygulama güvenliğinde geleneksel yöntemler ve büyük dil modelleri (LLM) üzerine bir çalışma

A study of traditional methods vs. (LLM) agents results in web application security for defense industry companies

PDF İndir

  1. Tez No: 886846
  2. Yazar: AHMET TORTUMLU
  3. Danışmanlar: PROF. DR. KEMAL BIÇAKCI
  4. Tez Türü: Yüksek Lisans
  5. Konular: Bilgisayar Mühendisliği Bilimleri-Bilgisayar ve Kontrol, Savunma ve Savunma Teknolojileri, Computer Engineering and Computer Science and Control, Defense and Defense Technologies
  6. Anahtar Kelimeler: Belirtilmemiş.
  7. Yıl: 2024
  8. Dil: Türkçe
  9. Üniversite: İstanbul Teknik Üniversitesi
  10. Enstitü: Fen Bilimleri Enstitüsü
  11. Ana Bilim Dalı: Savunma Teknolojileri Ana Bilim Dalı
  12. Bilim Dalı: Savunma Teknolojileri Bilim Dalı
  13. Sayfa Sayısı: 77

Özet

Web uygulamalarının gelişmesi ve kullanımının artmasıyla birlikte şirketler, hizmetlerini daha etkili ve hızlı bir şekilde tanıtabilmek adına kaynaklarını daha fazla dış erişime izin verme eğilimindedir. Ancak, web uygulamalarının kolay ulaşılabilir olması ve kullanımının artması, şirket varlıklarının herhangi bir kullanıcı tarafından erişilebilir olmasına neden olabilir. Bu durumun bir sonucu olarak, özellikle savunma sanayi gibi kritik öneme sahip sektörlerde faaliyet gösteren şirketler, saldırı yüzeylerini artırabilir. Öte yandan, web uygulamalarının saldırı yüzeyinde OWASP Top 10'da belirtilen güvenlik zafiyetlerinin bulunması, savunma sanayi şirketlerini web uygulamalarının potansiyel tehditlere maruz kalma riski ile karşı karşıya bırakabilir. Bu araştırmanın temel amacı, savunma sanayi şirketlerinin web sayfalarının saldırı yüzeylerini ölçebilmek için bir metrik geliştirmek ve farklı ülkelerden seçilen benzer büyüklükteki şirketler arasında karşılaştırma yapmaktır. Araştırmada, web uygulama saldırı yüzeyi ve web uygulama güvenliği detaylı bir şekilde incelenmiştir. Geliştirilen metrik, saldırı yüzeyi parametrelerini zenginleştirmiş ve kullanım yerini yitiren parametreleri çıkartarak daha anlaşılır hale getirmiştir. Metrik hesaplamak için kullanılan parametreler, 9 ana başlık altında toplanmıştır. Saldırı yüzeyi parametrelerini hesaplamak için Python programlama dili kullanılarak bir framework geliştirilmiş ve bu framework'ün nasıl kullanılacağı detaylı bir şekilde açıklanmıştır. Elde edilen sonuçlar görseller aracılığıyla değerlendirilmiş ve ChatGPT-4o sonuçlarıyla karşılaştırılmıştır. Araştırma sonucunda, web uygulamalarının kullanabileceği bir saldırı yüzeyi metriği oluşturulmuş ve diğer kullanıcıların farklı web uygulamalarını karşılaştırmaları veya aynı web uygulamasının farklı sürümlerindeki saldırı yüzeyi değişimini gözlemlemeleri için bir çerçeve sağlanmıştır. Ayrıca, ChatGPT-4o modelinde saldırı yüzeyi metrik hesaplamaları için tavsiyelerde bulunulmuştur.

Özet (Çeviri)

Defense industry companies are constantly engaged in a struggle against cyber attacks, information leaks, and other potential threats to ensure the security of their products. This implies that these companies not only need to gain the trust of their customers but also must protect their international reputation. Keeping the attack surfaces as low as possible is a key element in the cybersecurity strategies of defense industry companies. To achieve this, various security measures need to be taken to limit security vulnerabilities, protect information, and enhance the resilience of products. However, before implementing security measures, it is essential to know the attack surface of owned cyber assets. The attack surface of a system is the set of ways through which an adversary can enter the system and potentially cause harm. Reducing the attack surface decreases the number of channels through which systems can be attacked by malicious actors or bots, making the system more secure. To know the attack surface, it is crucial to first understand the assets of the company. For companies, web applications, especially corporate websites used for promotional purposes, are among the assets accessible to all internet users. Therefore, the most popular software systems that provide access to the attack surface of defense industry companies are web applications. Web applications use HTTP as the communication protocol between browsers and web servers, operating as clients, and involve common concepts and technologies with different working environments on the server and client sides to execute code. This common platform brings with it common security considerations and issues for web applications, as demonstrated by OWASP's Top 10 Web Application Security Risks. Securing a web application is interconnected with securing a web server, and it involves a complex task distribution shared by both application developers and system engineers. Cloud engineers/system engineers are responsible for ensuring cloud and server security. In this context, developers have various responsibilities, such as using security mechanisms and functions correctly, avoiding specific software errors, following design principles, using up-to-date and secure technologies, and reducing the attack surface of the application. Systems used to reduce the attack surface must be measurable. With the attack surface metric, the attack surface becomes measurable, and applications or versions become comparable. Applications and architectures can be strengthened using attack surface measurements. Security metrics and measurements are necessary for software developers and cloud management personnel to evaluate security improvements in their software and architecture qualitatively and quantitatively. In this context, defense industry companies need to continuously update and improve security policies to effectively defend against both internal and external threats. Collaboration and information sharing within the industry are crucial for providing more effective defense against common threats. The efforts of defense industry companies to protect their assets and products play a critical role not only in strengthening national security but also in ensuring global stability. It is essential to aim for minimal attack surfaces for defense industry companies' web applications, and measuring the attack surface is necessary in this regard. Periodic measurement of the attack surface of web applications should be included in security testing processes. However, for the measurement of the attack surface, the need for an attack surface metric arises. While there have been studies on web application attack surface metrics in the past, the rapid development of the software industry requires the inclusion and exclusion of some metrics. The main aim of this research is to develop a metric to measure the attack surfaces of defense industry companies' web pages and to make comparisons between similar-sized companies selected from different countries. The research extensively examines the web application attack surface and web application security. Four companies were selected for ranking from the world's largest 100 defense industry companies, with Turkey (T company), South Korea (K company), Germany (G company), and the United Kingdom (E company) being the chosen countries, and an attack surface metric was developed to measure the attack surface. The developed metric enriches attack surface parameters and makes them more understandable by removing parameters that have lost their usage. When calculating the metric, parameters were grouped under nine main headings: degree of distribution, dynamic, security, input, active, cookie, role, rights, and infrastructure. The degree of distribution parameter evaluated the web application's dependent domain name, subdomain name, and external domain name numbers. The dynamic parameter assessed whether the web application's technology is dynamic or static. Security parameters checked the use of TLS and validation controls in the web application, along with the presence of blocking against incoming malicious requests. Input parameters controlled user inputs, entry paths into the application by evaluating the presence of URLs affecting the attack surface, the existence of forms in the application, the presence of hidden forms, the need for authentication, the existence of file upload functions, and the search status. Active content control examined whether JavaScript scripts developed in the web application are executed, whether JavaScript code from an external source is executed, server-side script execution status, the use of Java, Ajax, and the presence of a feed in the application. Flash technology parameters, found in previous studies, were also removed. The cookie section checked internal and external cookie usage, and the role section examined the presence of roles and rights for application users. Infrastructure involved open port scans, evaluating open ports other than ports 80 and 443, which were used for web applications. The Python programming language was used to develop a framework for calculating attack surface parameters, and this framework was explained in detail. The codes written for parameter calculation were made open source on a GitHub account for everyone to use. An interface was created using HTML and JavaScript programming languages to visualize the attack surface vector. The results obtained were evaluated through visual tools. As a result of the implemented application in the research, it was observed that the T company's web application has a lower attack surface. K company's attack surface is 87\% larger than T company's. G company was found to have about 43\% more attack surface than T company. E company, on the other hand, has 72\% more attack surface compared to T company. The size of the attack surface for E company was influenced by the number of cookies. According to the results, T company managed to keep the attack surface on the web page lower. However, it was determined that K company uses outdated web technologies. Using an old version of software increases the attack surface and is a vulnerability in the sixth-highest risk category according to OWASP Top 10. It was seen as a factor that increases the attack surface for K company qualitatively. In addition, open ports other than 80 and 443 were detected in the domains of K company. Open ports accessible to all users can lead to vulnerabilities from misconfigurations according to OWASP Top 10, increasing the attack surface. The obtained results have been evaluated through visuals and compared with ChatGPT4-o results. As a result of the research, an attack surface metric that web applications can use has been created, and a framework has been provided for other users to compare different web applications or observe the change in the attack surface of the same web application in different versions. Also we provided advises for attack surface metric calculations at ChatGPT-4o model. With our research, the developed metric can be used by defense industry companies for testing web applications, and comparisons can be made between new and old versions of web applications. For researchers, the attack surface of web applications can be measured, and comparisons can be made.

Benzer Tezler

  1. Tez No

    532395

    Otomotiv sektöründe TMS 18 hasılat standardı açısından bilanço dipnot analizi

    Footnote analysis of financial statement in revenue standard of Turkish Financial Reporting Standards 18 in the Turkish automotive industry

    ÖYKÜ MUKADDES İSMAİLOĞLU

    Yüksek Lisans

    Türkçe

    Türkçe

    2018

    Maliyeİstanbul Okan Üniversitesi

    İşletme Ana Bilim Dalı

    DOÇ. DR. MURAT AZALTUN

  2. Tez No

    735380

    Türk savunma sanayi firmalarında görev yapan beyaz yakalı ve mavi yakalı çalışan grupları arasında değişen iş algısı – Ankara ili örneği

    Changing perception of work between groups of white-collar and blue-collar professionals working in Turkish defense industry companies – case of Ankara province

    AMİNE BÜŞRA ESEN

    Yüksek Lisans

    Türkçe

    Türkçe

    2022

    SosyolojiAnkara Hacı Bayram Veli Üniversitesi

    Sosyoloji Ana Bilim Dalı

    PROF. DR. AYŞE CANATAN

  3. Tez No

    688892

    Çalışanların esnek çalışma düzenlemelerine karşı tutumlarının işe adanmışlıklarına etkisinde örgütsel adalet algısının aracılık rolü: Ankara'da İHA alanında faaliyet gösteren işletmelerde bir araştırma

    Organizational justice in the effect of employees' attitudes towards flexible work arrangements on their engagement to work: A Research on businesses operating in the field of UAV in Ankara

    BURHAN ATALIK

    Yüksek Lisans

    Türkçe

    Türkçe

    2021

    Savunma ve Savunma TeknolojileriMilli Savunma Üniversitesi

    Savunma Yönetimi Ana Bilim Dalı

    DOÇ. DR. KEMAL EROĞLUER

  4. Tez No

    671079

    Çalışanların kişilik özellikleri ve esnek çalışmanın örgütsel bağlılık üzerindeki etkisi: Bir savunma sanayi uygulaması

    Impact of employees personality and flexieble work on organizational commitment: A defence industry practice

    NAZIM UTKU ATLI

    Yüksek Lisans

    Türkçe

    Türkçe

    2021

    İşletmeBahçeşehir Üniversitesi

    İşletme Ana Bilim Dalı

    DR. ÖĞR. ÜYESİ ABDULLAH FATİH AKCAN

  5. Tez No

    782437

    Ankara ve Eskişehir illerinde insansız hava aracı uçuşlarından elde edilen meteorolojik ölçümlerin WRF modeli sonuçlarıyla karşılaştırılması

    Comparison of meteorological measurements obtained from unmanned aerial vehicle flights in Ankara and Eskişehir with WRF model results

    RUKİYE AYBÜKE AYDEMİR

    Yüksek Lisans

    Türkçe

    Türkçe

    2023

    Meteorolojiİstanbul Teknik Üniversitesi

    Meteoroloji Mühendisliği Ana Bilim Dalı

    PROF. DR. AHMET DURAN ŞAHİN

Geri Dön