Analysis of Web Application Security Management in Context of Nepal’s Organizations
Abstract
We use web-based applications in various aspects of our lives, including banking, healthcare, sports, entertainment, media, learning, commerce, and so much more. As a result, it has increased the use of web applications for many tasks and daily activities. These applications contain sensitive and essential data that needs to be safeguarded. In numerous sectors of Nepalese society, cyberattacks and threats have been gradually increasing. Security has been mostly neglected despite being a crucial aspect while developing web applications. This thesis aims to study how the Organizations of Nepal perceive and practice web application security management. This thesis investigates the use of Open Web Application Security Project's (OWASP) related security practices among security experts in Nepal to understand how different practices, approaches, and mitigation of security vulnerabilities are employed in Organizations in Nepal. This thesis includes the study of both technical and non-technical aspects related to web application security management. The study followed a mixed method approach, i.e., a sequential explanatory research approach. A survey was conducted first, in which eighty-seven valid responses were obtained. Then interviews with six security experts were conducted to understand the context better. We found that many Organizations do not follow standard security practices and lack the necessary experience in secure coding, which might lead to security-related issues. We also discovered that Organizations did not consistently consider security throughout each stage of the software development cycle. We found different factors that have been affecting secure practices in the context of Nepal's Organizations which were Human Factors (Security Knowledge and Training, Security Awareness, Attitudes, Beliefs, and Behavior, Motivation, and National Culture), Policies, Organizational Communication, Experiencing a Security Incident, Technology Advancement, and Resources Constraint (Budget, Time, Manpower). This study contributes to the field of information security research.