While websites are becoming more and more complex daily, the difficulty of managing them is also increasing. It is important to conduct regular maintenance against these complex websites to strengthen their security and improve their cyber resilience. However, misconfigurations and vulnerabilities are still being discovered on some pages of websites and cyberattacks against them are never-ending. In this paper, we take the novel approach of applying the concept of security governance to websites; and, as part of this, measuring the consistency of software settings and versions used on these websites. More precisely, we analyze multiple web pages with the same domain name and identify differences in the security settings of HTTP headers and versions of software among them. After analyzing over 8,000 websites of popular global organizations, our measurement results show that over half of the tested websites exhibit differences. For example, we found websites running on a web server whose version changes depending on access and using a JavaScript library with different versions across over half of the tested pages. We identify the cause of such governance failures and propose improvement plans.
Yuta TAKATA
Deloitte Tohmatsu Cyber LLC
Hiroshi KUMAGAI
Deloitte Tohmatsu Cyber LLC
Masaki KAMIZONO
Deloitte Tohmatsu Cyber LLC
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Yuta TAKATA, Hiroshi KUMAGAI, Masaki KAMIZONO, "The Uncontrolled Web: Measuring Security Governance on the Web" in IEICE TRANSACTIONS on Information,
vol. E104-D, no. 11, pp. 1828-1838, November 2021, doi: 10.1587/transinf.2021NGP0003.
Abstract: While websites are becoming more and more complex daily, the difficulty of managing them is also increasing. It is important to conduct regular maintenance against these complex websites to strengthen their security and improve their cyber resilience. However, misconfigurations and vulnerabilities are still being discovered on some pages of websites and cyberattacks against them are never-ending. In this paper, we take the novel approach of applying the concept of security governance to websites; and, as part of this, measuring the consistency of software settings and versions used on these websites. More precisely, we analyze multiple web pages with the same domain name and identify differences in the security settings of HTTP headers and versions of software among them. After analyzing over 8,000 websites of popular global organizations, our measurement results show that over half of the tested websites exhibit differences. For example, we found websites running on a web server whose version changes depending on access and using a JavaScript library with different versions across over half of the tested pages. We identify the cause of such governance failures and propose improvement plans.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2021NGP0003/_p
Copy
@ARTICLE{e104-d_11_1828,
author={Yuta TAKATA, Hiroshi KUMAGAI, Masaki KAMIZONO, },
journal={IEICE TRANSACTIONS on Information},
title={The Uncontrolled Web: Measuring Security Governance on the Web},
year={2021},
volume={E104-D},
number={11},
pages={1828-1838},
abstract={While websites are becoming more and more complex daily, the difficulty of managing them is also increasing. It is important to conduct regular maintenance against these complex websites to strengthen their security and improve their cyber resilience. However, misconfigurations and vulnerabilities are still being discovered on some pages of websites and cyberattacks against them are never-ending. In this paper, we take the novel approach of applying the concept of security governance to websites; and, as part of this, measuring the consistency of software settings and versions used on these websites. More precisely, we analyze multiple web pages with the same domain name and identify differences in the security settings of HTTP headers and versions of software among them. After analyzing over 8,000 websites of popular global organizations, our measurement results show that over half of the tested websites exhibit differences. For example, we found websites running on a web server whose version changes depending on access and using a JavaScript library with different versions across over half of the tested pages. We identify the cause of such governance failures and propose improvement plans.},
keywords={},
doi={10.1587/transinf.2021NGP0003},
ISSN={1745-1361},
month={November},}
Copy
TY - JOUR
TI - The Uncontrolled Web: Measuring Security Governance on the Web
T2 - IEICE TRANSACTIONS on Information
SP - 1828
EP - 1838
AU - Yuta TAKATA
AU - Hiroshi KUMAGAI
AU - Masaki KAMIZONO
PY - 2021
DO - 10.1587/transinf.2021NGP0003
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E104-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2021
AB - While websites are becoming more and more complex daily, the difficulty of managing them is also increasing. It is important to conduct regular maintenance against these complex websites to strengthen their security and improve their cyber resilience. However, misconfigurations and vulnerabilities are still being discovered on some pages of websites and cyberattacks against them are never-ending. In this paper, we take the novel approach of applying the concept of security governance to websites; and, as part of this, measuring the consistency of software settings and versions used on these websites. More precisely, we analyze multiple web pages with the same domain name and identify differences in the security settings of HTTP headers and versions of software among them. After analyzing over 8,000 websites of popular global organizations, our measurement results show that over half of the tested websites exhibit differences. For example, we found websites running on a web server whose version changes depending on access and using a JavaScript library with different versions across over half of the tested pages. We identify the cause of such governance failures and propose improvement plans.
ER -