JP2010287118A - Web site security information display system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To sufficiently understandably and clearly exhibit, to a general user, a state of security concerned in use of a web site by the general user, and quality of compensation when a problem occurs. <P>SOLUTION: This system includes a terminal 100 used by the general user; a general web site A providing a content, and a site B security-monitoring the site A as an object. The site B performs processing to display information including a security level (SL), that is multivalued evaluation information about a security state of the site A, on a screen of the terminal 100 in a form of an image G1, based on monitoring result information of the site A, when accessing the site A by the terminal 100. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to information (IT) security technology, and more particularly to security audit (inspection, diagnosis, etc.) technology.

  When a general user accesses a Web site (Web page) from a terminal and uses the information (content, service, etc.) on the Internet, there is generally a security risk. For example, there is a possibility of leakage of user personal information on an EC (electronic commerce) site or the like.

  As countermeasures against the above, various security products (software and hardware) are used. For example, as a general technique, there is an anti-virus function used by a terminal or the like. In addition, there is a function of inquiring / verifying a server (database) that updates and holds security-related information (such as vulnerability information) as needed.

  At present (conventional), there is a mechanism for notifying a general user (terminal) that a certain security product is being used in the above-described Web site or the like (providing and managing the same). For example, there is VeriSign Secured Seal (registered trademark) (Non-Patent Document 1).

  According to Verisign Secured Seal, general users should verify and confirm that the Web site on which the seal (image) is posted actually exists and that communication is encrypted by SSL. Can do. The Web site operator posts the sticker (image) on the Web page, thereby improving the reliability of the site with respect to general users.

  Further, as a prior art example related to a security audit of a Web site, for example, there is a security audit tool (“network vulnerability inspection tool”) such as Non-Patent Document 2. According to this technology, vulnerability inspection (non-destructive scanning) of servers, clients, network devices, etc. via a network is performed, and vulnerability detection and reporting are performed. In non-destructive scanning, inspection is implemented without executing an attack code on the target (operating server or the like).

  In addition, with respect to security level standards, for example, there are “Guidelines for Electronic Authentication” (NIST) (Non-Patent Document 3).

  As a prior art example related to the audit, there is JP-A-2003-140987 (Patent Document 1).

JP 2003-140987 A

Verisign Secured Seal, VeriSign Japan, Internet, <URL: http://www.verisign.co.jp/index.html> "Network vulnerability inspection tool" (Retina Network Security Scanner), Sumisho Information Systems Co., Ltd., Internet, <URL: http://www.scs.co.jp/eeye/retina.html> “Guidelines for Electronic Authentication”, National Institute of Standards and Technology (NIST), April 2006, (Translation Supervisor) Information-technology Promotion Agency, NRI Secure Technologies, Inc., Internet, <URL: http: // www.ipa.go.jp/security/publications/nist/documents/SP800-63-J.pdf>

  There is a mechanism for notifying a general user about the use of a predetermined security product related to a Web site, such as the above-mentioned seal, etc., related to the security audit technology of the Web site. On the other hand, there is generally no security product that guarantees 100% safety (risk can be reduced but not zero).

  Therefore, at present, even if information related to Web site security is provided to general users using the above-described stickers and various security products, it cannot be said that the guarantee is 100%. In the conventional display information of this type, whether it is OK or NG is generally presented regarding the security of the site, or detailed information that is difficult to understand for general users is presented, and it is more easily understood. It does not present information (for example, a specific security level). That is, for general users, there is a vague possibility (risk) of encountering a problem (damage or the like) such as leakage of personal information in the use of a website, and it is difficult to realize the magnitude of the possibility (risk).

  As described above, in the past, general users have insufficient or unclear information about the security status (the magnitude of the risk that a problem will occur or the level of effectiveness of countermeasures) related to website use. . Furthermore, information on the quality of compensation / compensation (or content of guarantee of rights before the problem occurred) in the event of a problem is insufficient or unclear.

  In view of the above, the main object of the present invention relates to the security audit technique, and provides information on the security status and the like related to the use of a website by a general user on a communication network (Internet) to the general user. It is to provide a technique that can be presented sufficiently clearly and clearly and that can improve the reliability of Web site management.

  Of the inventions disclosed in the present application, the outline of typical ones will be briefly described as follows. A typical embodiment of the present invention is a technology of an information processing system that performs processing such as an audit of information security related to a website on the Internet, and has the following configuration.

  In this embodiment, information related to the security status of a general user's use of the website is presented to the general user in an easy-to-understand manner, and is not limited to binary information such as OK / NG that has been conventionally presented. Provides value information (security level, etc.).

  This form is a system for providing information related to information security of a website, and is a general system that provides content and services such as a web page to a terminal used by a general user and a user terminal on a communication network. A first information processing system that manages the Web site; and a second information processing system that performs an audit related to information security for the Web site. The second information processing system is involved in the process of creating audit result information by executing the process of auditing information security for the website (data such as content) and the access to the website by the user terminal, Based on the audit result information, the second information processing system displays display information (such as an image) including multi-value evaluation information (security level) related to the information security status of the website on the screen of the user terminal And processing to be performed.

  Display information such as images presented to the user represents binary evaluation information such as the security level (SL) (multi-level evaluation information) and OK / NG of the target site, and further the quality of compensation when a problem occurs. It may include insurance information.

  The effects obtained by typical ones of the inventions disclosed in the present application will be briefly described as follows. According to a typical embodiment of the present invention, information relating to the security status related to the use of a Web site by a general user on a communication network is sufficiently provided to the general user. It can be presented clearly and clearly, and the reliability of website management can be improved.

It is a figure which shows the structure outline | summary, the characteristic, etc. of the information processing system (Web site security information display system) of one embodiment of this invention. It is a figure which shows the structural example (independent server system type) of a hardware and a process part in the system of this Embodiment. It is a figure which shows a process part and a process sequence in the system of this Embodiment. It is a figure which shows the structural example etc. of data information in the system of this Embodiment. It is a figure which shows the example of a screen display in the system of this Embodiment. It is a figure which shows the structural example (plug-in type) of a hardware and a process part in the system of this Embodiment.

  Hereinafter, an embodiment (Web site security information display system) of the present invention will be described in detail with reference to the drawings (FIGS. 1 to 6). Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

<Overview>
The outline and characteristics of the configuration of the information processing system (including the Web site security information display system) of this embodiment will be described below with reference to FIG. As a basic feature, there is a function of displaying security audit result information (information on security status evaluation, particularly security level (SL) information) on a general user terminal.

  In this system, a security audit related to a general target website A (first information processing system 1) used by a general user (terminal 100) on the Internet 90 is performed as an audit site B (second information processing system 2). To do. Then, the information on the security status based on the audit result information (and related insurance (compensation) information, etc.) in the form of an image G associated with the Web page of the site A is displayed on the screen of the user terminal 100. To display.

  In particular, the display information based on the image G includes information on the security level (SL) of the target site A. Further, the information on the related insurance (compensation) includes information such as the insurance participation status and the insurance rank of the target site A.

  The user (terminal 100) recognizes the security status of the site A (and the quality of insurance (compensation) related thereto) in an easy-to-understand manner by referring to the image G when using (accessing) the site A. can do.

<System>
A configuration example of the hardware and software of this system, a processing unit (program or logic), etc. will be described with reference to FIG. 2 (and FIG. 1 etc.). The entire system includes a terminal 100 (PC, mobile phone, etc.) used by general users and a first information processing system 1 that provides and operates a site A (target website) on the Internet (communication network) 90. And a second information processing system 2 that provides and operates a site B (audit site). The terminal 100 includes a web browser 110 and the like. Communication between processing units at each site is possible via the Internet 90. It is not always necessary to provide a web page for sites other than the site A.

  In this system, as a form of implementation of main functions (functions for providing an image G such as SL), the system corresponds to the site B as shown in FIG. The main functions are provided by the second information processing system 2 (independent server system). The terminal 100 can obtain an image G such as SL by accessing the site B (server) (processing A). No special software or the like is required on the terminal 100 side.

  The site A (information processing system 1) is a system that provides a general Web site to a general user (terminal 100). The site A is configured by a general server system, for example. The site A includes, for example, a Web server device 101 that implements the Web server (content providing unit) 10, a DB 102 that stores the content data 50 (entire site A), and the like. The target website A is, for example, an EC (electronic commerce) site, a bank (online banking) site, or the like, and includes a site where a transaction such as an account transfer occurs. Site A is subject to audit by Site B. Further, the site A may be a site in which an insurance contract relating to information security of the site is concluded with an external insurance company or the like. Note that the number of sites A is not limited to one, and can be plural (in particular, when auditing a large number of sites A and providing insurance with a large number of sites A as subscribers).

  The site B (information processing system 2) is an audit system that performs security audit of the target site A, provision of the SL image G, and the like. The system at the site B is configured by a general server system, for example. The site B includes, for example, a Web server device 201 that implements the image (G) providing unit 21 and the like, an audit processing device (computer) 202 that implements the auditing unit (Web site security auditing unit) 22 and the like, each data information (audit information) DB 61 and DB 203 for storing contract information DB 62).

  The G providing unit 21 (Web server device 201) provides services (functions and contents) of the site B including a function of providing an image G (display information) for confirmation of SL of the target site A to the terminal 100 of the general user. Etc.).

  The audit unit 22 (audit processing apparatus 202) executes an audit process for the site A related to the provision of the image G.

  Based on the audit result information (audit information DB 61) of the target site A, the G providing unit 21 determines and confirms the information on the security level (SL) of the target site A and the quality of compensation related thereto, and the result The image G (display information) based on is transmitted to the user terminal 100 and displayed.

  Specifically, the G providing unit 21 includes an audit information determining unit 211, a contract information determining unit 212, and a transmission information determining unit 213. The audit information determination unit 211 determines the SL of the target site A and the like. The contract information determination unit 212 determines the contract relationship and insurance (compensation) information of the target site A. The transmission information determination unit 213 finally determines the image G to be transmitted in response to the terminal 100 and performs response transmission processing.

  The audit unit 22 performs an audit process on the target site A (content data 50) at a predetermined periodic timing such as once a day via the Internet 90, and as a result, includes the SL at that time. Audit result information is stored in the audit information DB 61.

  Further, a specific processing unit (G providing unit 21 or the like) at the site B stores the contract relationship information related to the target site A in the contract information DB 62. In particular, insurance contract information provided from an external insurance company or the like may be stored in the contract information DB 62.

  In addition to the above forms, for example, the G providing unit 21 and the auditing unit 22 constituting the site B may be separated into different systems and cooperated.

  In the present embodiment, SL and the like are determined by the auditing unit 22 each time, but may be performed by the G providing unit 21.

<Data information>
With reference to FIG. 4 and the like, data information handled by the present system and an example of its structure will be described below.

  (Site A) The site A has content data 50 (the entire site A) handled by the Web server 10 or the like. This content data 50 is data such as Web pages constituting the entire site A, and a plurality of Web pages (content data) 52 such as HTML and JSP, and link information to the image G (or site B) are described. Web page (Web page with G link) 51 such as HTML.

  In this example, the web page 51 with G link includes content in the page 51, and the image G displayed by the link is information such as an audit result on the page (51) itself. As another form, the image G displayed by the G-linked page 51 may represent information such as an audit result regarding a Web page or the like of other content instead of the page 51. Moreover, about the display of the page 51 with G link and the image G, it is good also as a form made into one of all the pages (50), for example, and the site A operator wants to show the said display information with respect to a general user for every page The image G may be displayed on the screen.

  (Site B) The DB 203 of the site B includes an audit information DB (Web site security audit result information DB) 61 and a contract information DB (Web site contract information DB) 62. The DB 203 also stores image G data (63).

  In the audit information DB 61, as a role, information on the security status of the target site A is managed. As a specific example of the information, audit result information including SL information is included.

  The audit information DB 61 in FIG. 4 includes audit target site information, its URL (address information), audit result information for each audit execution timing (date and time), and the like. The audit result information includes information such as the value of each audit item and the security level (SL). The audit items include the number of contents, login method (type), and SQL injection countermeasures.

  The number of contents is the number of contents (Web page, file, etc.) constituting the target site. The login method is information such as the type of login method that affects the audit result (security state). SQL injection is an item that affects the problem of leakage of personal information as an example of an audit item, and a numerical value for the countermeasure is calculated. The audit items include various items according to the auditing method (and related insurance types, etc.) applied by the auditing unit 22.

  In the contract information DB 62, the role is to manage information on the quality of compensation when a problem (damage or the like) occurs in relation to the security status of the target site A, and contract related information on the target site A related thereto. . As specific examples of the information, insurance information is included. The insurance information is insurance contract information of an insurance provided by an external insurance company or the like and subscribed by the site A. If there is a contract relationship other than insurance (for example, a contract related to audit), the contract information may also be included. Further, when a plurality of types of insurance are handled by one insurance company (or a plurality of insurance companies), a plurality of insurance information is included.

  The contract information DB 62 in FIG. 4 includes target site information (insurance contract site) and contract information (insurance contract information, etc.). As insurance contract information, insurance identification information (insurer (insurance company) and insurance type, etc.) and insurance rank (multi-level evaluation information of the quality of compensation) regarding one or more insurances to which the target site A is subscribed ) Etc.

  The example of each data information of FIG. 4 is as follows. In the information in the audit information DB 61, the target site A provides content such as a Web page with a predetermined URL. In the audit result of an audit date and time (March 12, 2009), the total number of contents of site A is 999, and the login method is, for example, the one-time password method (type # 1). As an audit item, for example, the numerical value of SQL injection countermeasures is 97%. As a result, the current SL is determined to be 9 (“Aaa”, “OK”).

  In the present embodiment, the audit result information stored in the audit information DB 61 includes, in particular, a numerical value of the security level (SL) that is evaluated and calculated by the audit unit 22. For example, the SL level is evaluated with a value of 1 to 9 at the minimum. Further, for example, a rating notation such as “Aaa” for the highest level and “C” for the lowest level may be used (example based on the rating notation in the financial field). Further, “OK” (security OK) may be determined when SL is equal to or higher than a predetermined level, and “NG” (security NG) may be determined when SL is less than a predetermined level.

  Further, in the information of the contract information DB 62, the target site A has previously contracted and subscribed to a predetermined insurance (type: C- # 1) with an external insurance company (and the audit site B), for example. . This insurance contract also includes an audit contract. This insurance (C- # 1) is determined to have an insurance rank of 3 at that time. The insurance rank is, for example, a minimum of 1 to a maximum of 5.

<SL>
The security level (SL) is a value obtained by comprehensively evaluating multi-valued risks related to information security when a general user accesses the target site A. That is, for example, when SL is low, it is determined that the possibility of occurrence of a problem is high. A predetermined type of SL is determined based on a result of a predetermined audit process based on an existing or unique predetermined information security standard.

<Insurance rank>
The insurance rank is a value obtained by evaluating the quality of insurance compensation at the target site A with multiple values. For example, when a general user accesses the target site A and a problem such as damage (for example, leakage of personal information) occurs, the quality of compensation for the general user is determined based on the insurance contract information of the target site A, etc. Value. In other words, it can be called a compensation level. Note that the multi-level evaluation information such as the level and rank may be other expressions such as a score and%.

<Audit items>
In the present embodiment, “login method”, “number of contents”, and the like are also dealt with as audit items (targets). The difference in the login method and the number of contents are reflected in the evaluation calculation of the audit process.

  In general, it is said that the security level of a site varies greatly depending on the login method (for example, Non-Patent Document 3). For example, even for the same Web site A, a plurality of different login methods may be used. In this case, even if the access target is the same content data, the security status of the audit result varies depending on the difference in the login method. The fact that the security level differs depending on the login method means that there is less risk of personal information leakage in the case of a stronger login method. For this reason, in this embodiment, the login method is also handled as one of the judgment materials (audit items), and SL changes according to the difference in the login method.

  In addition, regarding the number of contents, the number of Web pages that can be accessed when performing an audit process and the number of contents that can be downloaded (number of files, etc.) are handled. For example, the number of contents is automatically calculated and updated by the audit unit 22 every time an audit (audit process) is executed. The number of contents is handled as one of the judgment materials based on the idea that the greater the number of contents in the target website A, the higher the risk of problem occurrence (that is, the SL is judged to be low).

<Processing>
In FIG. 1, FIG. 3, etc., there are roughly two processes performed in this system. As processing A, there is a processing sequence indicated by arrows such as A1 to A8, which indicates processing at the time of access by the user terminal 100. Further, as the process B, there is a process sequence indicated by arrows such as B1 to B4, which is a process in the background of this system independent of the process A, for example, a regular / periodic process.

  In the process A, between the general user terminal 100 and the sites A and B, the audit result information (SL etc.) is displayed on the screen of the terminal 100 (partial display area 410 of the Web page 400 of the site A) using the image G. And processing to display information on insurance (compensation, etc.). In particular, “SL” or “OK” / “NG” images are provided as display information of the security status. In addition, as insurance quality display information, images of “insurance rank” and insurance coverage status (“enrolled” / “not subscribed”) are provided.

  In the process B, an audit process between the sites A and B, a process of acquiring contract information between the site B and the external system, and the like are automatically executed.

<Processing A sequence>
The processing A sequence will be described with reference to FIG. Relatedly, FIG. 5 shows a screen display example.

  A1: The user accesses the site A (Web page) from the Web browser 110 of the terminal 100 and uses the content, service, and the like. When accessing a Web page, an operation such as inputting a URL (clicking a link) or the like is appropriately performed by the user. At that time, for example, the user accesses a Web page (51) such as HTML in which a link to the image G is described (A1). This access (A1) is a request by, for example, normal HTTP (or HTTPS).

  A2: In response to the access request of A1, the Web page 51 with the G link is transmitted as a response from the site A to the terminal 100 (A2). In the web page 51 with G link, link information (URL or the like) to the image G (site B) is described. As a result, the Web browser 110 displays the Web page P1 (401) on the screen (FIG. 5). The display content of the Web page P1 (401) includes, for example, a normal content display area and a link information display area (411). The link information is link information to the image G (site B) associated with the web page P1 or another web page P2.

  A3: The user clicks, for example, link information (411) to the image G with the mouse on the Web page 51 with G link displayed on the screen of the terminal 100 (FIG. 5, page P1 (401)). As a result, the link is interpreted by the Web browser 110, and access to the site B (A3) occurs. This access (A3) is a request by, for example, normal HTTP (or HTTPS), and is accompanied by information (for example, URL of site A) indicating “linked from site A”.

  A4: In response to the access request of A3, the site B determines and determines the requested information (image G) by the G providing unit 21 (processing of A4 to A7). For this purpose, the G providing unit 21 activates the audit information determining unit 211, the contract information determining unit 212, the transmission information determining unit 213, and the like, and causes each of them to perform processing.

  A5: The contract information determination unit 212 refers to the contract information DB 62 and acquires (reads) the contract relation information of the target site A. That is, the information of the insurance (for example, C- # 1) to which the target site A is subscribed and the insurance rank (for example, 3) is acquired.

  A6: The audit information determination unit 211 refers to the audit information DB 61 to acquire (read) the audit result information of the target site A. That is, information such as SL (for example, 9) at the latest audit date is acquired.

  A7: The transmission information determination unit 213 determines display information (image G1) to be transmitted in response to the terminal 100 using the information acquired by the processes of A5 and A6. That is, the transmission information determination unit 213, for example, as the image G corresponding to the SL information by A6, “SL” image g1 (the display content includes a specific SL numerical value (example: 9)) and the insurance by A5. As the image G corresponding to the information, image data 63 corresponding to the “insurance rank” image g2 (the display content includes a specific insurance rank numerical value (eg, 3)) is read from the DB 203 or the like.

  A8: Then, the G providing unit 21 transmits data including the determined image G1 (eg, SL (g1), insurance rank (g2)) to the terminal 100 (A8). In addition to the SL and insurance rank, an image of “OK” / “NG” in the security state and an image of “enrolled” / “not subscribed” in the insurance state may be returned. In this example, image data (such as a GIF file) is transmitted. However, other formats, for example, web page data including the image data may be used.

  On the page P1 / P2 (402) displayed on the screen by the web browser 110 of the terminal 100 based on the acquisition of the image G1, for example, the link information (411) in the web page 51 (P1) with the G link described above. The image G1 (g1, g2) is displayed in a predetermined display area (412) corresponding to the place or in a predetermined display area (412) in another Web page (P2) to be linked. Thereby, the user sees the image G1 (g1, g2) displayed on, for example, a part (412) of the Web page (402) on the display screen. Thereby, the user can recognize the security state of the target site A and the quality of compensation.

<Processing B sequence>
The processing B sequence will be described with reference to FIG.

  B1: The audit unit 22 at the site B automatically executes the security audit process for the target site A at a predetermined timing, for example, once a day, once a hour, etc. This access (B1) of the audit process is an access via the Internet 90 by, for example, HTTP (or HTTPS). In addition, about this predetermined | prescribed periodic timing, it can be set as the form which always processes continuously in real time by shortening the execution interval.

  By this access (B1), the auditing unit 22 scans (diagnose) the content data 50 using HTML or the like that configures the site A via a network device, a server, or the like, and executes an audit process according to a predetermined audit item. Various techniques such as the above-described non-destructive scanning technique can be applied to the audit process. The audit items include, for example, resistance check against various attacks (for example, SQL injection), vulnerability detection, and the like. For each item, a numerical value (% etc.) indicating the measure level is calculated.

  The above-described audit processing is, for example, predetermined audit processing other than the normal operation time zone (a time zone in which general users have a lot of access) as access to the Web server apparatus 101 or the like based on a prior contract between the sites A and B. It may be a form that is executed during a business time zone.

  B2: Based on the result of the audit process, the audit unit 22 finally collects the audit result information including the SL evaluation calculation value and stores it in the audit information DB 61.

  B3: The latest audit result information by B2 may be provided from a processing unit (such as the audit unit 22) that manages the audit information DB 61 of the site B to an external insurance company or the like. As a result, the insurance company can use the information for updating the insurance content or designing the insurance.

  B4: Also, when there is an insurance contract related to the target site A, the insurance contract information (insurance type, etc.) is sent from the external system to the processing unit (G providing unit 21, etc.) that manages the contract information DB 62 of the site B. You may give and receive.

  Note that the information acquisition process related to A6 (B3) and A5 (B4) can be omitted if there is no update information.

<Image G>
It is the following about the image G (G1) displayed on a user's terminal 100. FIG. The G providing unit 21 of the site B has data (63) of various types of images G that can be provided in the DB 203. That is, there are images indicating “SL”, “OK” / “NG”, etc. relating to the security status, and images indicating “insurance rank” relating to the quality of insurance (compensation), “enrolled” / “not subscribed”, etc. The design on the display of the image G can be freely designed by combining images, text messages, shapes, colors, and the like. The image G data (display information) provided to the terminal 100 is not limited to an image file format such as GIF, but may be text data (character information) or Web page data format.

  In the present embodiment, “SL” image g1 is included as image G1 provided to terminal 100. In addition, when there is an insurance to which the site A is subscribed, the “insurance rank” image g2 is included. By presenting such multi-value information to the user, it becomes easier to understand the security status and the quality of compensation compared to the conventional case where binary (OK / NG or the like) is presented.

<Detailed information>
Furthermore, not only the display of the image G but also a mode of linking to detailed information about the image G by, for example, a user clicking on the image G may be used. In this case, the user can verify and confirm the security status and the quality of compensation in more detail by browsing the detailed information.

  For example, clicking on the image G may jump to a web page such as audit result information provided by the site B. If there is insurance, you may jump to a Web page for detailed information on the insurance provided by an external insurance company. In this case, the link information is associated with the data of the image G. For example, when the site B responds with the detailed information, the site B reads out the above-described audit result information and contract information from the DB (61, 62), generates a Web page of the detailed information including them, and sends it to the terminal 100. Send a response.

  For example, the detailed information may present information for each audit item that is the basis of a value such as SL. Further, for example, instead of items such as SQL injection countermeasure numerical values, the information may be summarized by a predetermined item (viewpoint) so that the user can easily understand. For example, a value calculated from the viewpoint of “personal information leakage” may be presented.

<Effect of Embodiment>
According to the present embodiment, the security state of a website can be presented and recognized in an easy-to-understand manner for general users in the form of SL (multi-level evaluation information). In addition, when there is insurance related to the target site, the quality of compensation can be presented and recognized in an easy-to-understand manner to general users. As a result, it is possible to improve the reliability related to the use of the Web site. In addition, the information presented by the image G is not limited to the binary information of OK / NG as in the past, but by using multilevel evaluation information based on SL, insurance rank, etc., the security status and compensation details are more detailed than before. The quality can be recognized.

<Modification (Plug-in type)>
As a modified example (another embodiment), a mode in which the main function (a function for providing the image G) is implemented in the form of a plug-in (software) in the web browser 110 of the user terminal 100 is also possible. This main function is realized by cooperation processing between the Web browser 110 (plug-in) and the server of the site B. In this Web browser 110 (plug-in), unlike the above-described independent server system, processing for acquiring and displaying the image G (particularly, processing function corresponding to the G providing unit 21) is performed. The site B (server) side performs audit processing or the like (processing function equivalent to the auditing unit 22) with a relatively high processing load.

  FIG. 6 shows a system configuration example in this embodiment. The sequence example of the process A at the time of user access in this embodiment is as follows. For example, the linked web page 51 of the site A is accessed from the web browser 110 (built-in plug-in) of the user terminal 100. At this time, for example, this plug-in intervenes like a proxy function, and automatically accesses and cooperates with the server of the site B. As a result, the Web browser 110 (plug-in) acquires information such as the image G associated with the page (51) and displays the information on the screen of the terminal 100. In particular, the Web browser 110 (plug-in) acquires the audit result information from the site B, and based on the information, as a process corresponding to the G providing unit 21, determination / confirmation of SL and the like and the image G to be displayed are displayed. Performs selection and display processing. Specifically, various processing examples are possible as in the case of the configuration shown in FIG.

<Modification (Processing A)>
The following is possible as a modification of the process A. In A3 and the like (acquisition / display of the image G), an operation such as a mouse click of link information by the user is interposed. Not only this but the form etc. which acquire and display the image G automatically without user operation are also possible. A processing example in that case is as follows. When the terminal 100 (such as the web browser 110) acquires a page such as the linked web page 51 from the site A, it first displays (draws) the page (the image G is not displayed) on the screen. At the same time, the Web browser 110 or the like automatically causes access to the site B by asynchronous communication or the like based on the processing of the description in the data of the page (instruction to display the image G). Thereby, the Web browser 110 or the like displays (draws) the acquired image G at a designated place in the page. The above processing example can be realized by a plug-in provided in the Web browser 110, for example.

  Further, the following is a detailed example of the processing for obtaining and displaying the image G.

  (A) (form displayed in order of page → image): The terminal 100 (Web browser 110) acquires the target Web page (51 etc.) of the site A and displays (draws) it on the screen (the image G is not displayed). Status). Thereafter, the image G is acquired by accessing the site B (user operation such as link click or automatic processing), and the image G is displayed in the page.

  (B) (Mode for simultaneously displaying pages and images): Access to site B before terminal 100 (Web browser 110) acquires a page (51, etc.) of site A and displays (draws) it on the screen. The image G is acquired by (user operation or automatic), and then the page and the image G are displayed (drawn).

  (C) (Display mode in order of image → page): Before displaying the page of the target site A, only the image G is displayed. For example, when a general user wants to check the SL of the site (page) by viewing the corresponding image G before displaying the target page itself due to security concerns, etc., when using the target site A is there. For example, the terminal 100 (the Web browser 110) first accesses the target page (51 etc.) of the site A and acquires the data of the page. Before displaying the page on the screen, the corresponding image G is acquired by accessing the site B (user operation or automatic), and the image G is displayed on the screen. Or, before accessing the page of the site A for the first time, the site B is accessed and information such as the image G is acquired. Then, the Web browser 110 confirms, for example, whether or not the page may be displayed to the user, and displays the page (and the image G) on the screen based on an operation such as a confirmation click by the user. To do.

  As another form, the site A obtains in advance information such as the image G associated with the target page (the page where the image G is to be displayed) from the site B, and responds to an access (request) from the terminal 100. The page and the image G may be responded.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

  Since this system can be applied in the same way even when the terminal 100 of a general user (consumer) is replaced with a computer of another company or the like, it can be applied not only to BtoC but also to a BtoB mechanism.

  The present invention can be used for a website system, an audit system, an insurance system, and the like.

  DESCRIPTION OF SYMBOLS 1 ... 1st information processing system (site A), 2 ... 2nd information processing system (site B), 10 ... Web server (content provision part), 21 ... SL judgment part (G provision part), 22 ... Audit Part (Web site security auditing part), 50 ... Site A whole content data, 51 ... Image (G) linked page (content data), 52 ... Page (content data), 61 ... Audit information DB (Web site security audit result) Information DB), 62 ... Contract information DB (Web site contract information DB), 63 ... Image data, 90 ... Internet, 100 ... Terminal, 101 ... Web server device, 102 ... DB, 110 ... Web browser, 201 ... Web server device 202 ... Audit processing device, 203 ... DB, 211 ... Audit information determination unit (SL determination unit), 212 ... Contract information Determination unit (Insurance (compensation) information determining unit), 213 ... transmission information determination section (G transmission portion), 400, 401, 402 ... Web pages, 410, 411, 412 ... display area, G, G1 ... image.

Claims (12)

A system for providing information related to information security of a website,
A terminal used by a general user on a communication network, a first information processing system that manages a general Web site that provides content and services to the terminal of the user, and information security for the Web site A second information processing system for performing an audit,
The second information processing system performs a process of creating audit result information by executing an audit process of the information security for the Web site,
When the user terminal accesses the website and obtains the content or service, the second information processing system relates to the information security status of the website based on the audit result information. A website security information display system characterized in that display information including security level which is multi-value evaluation information is displayed on a screen of the user terminal. The website security information display system according to claim 1,
The second information processing system includes:
An auditing unit that performs a process of creating audit result information including a security level that is multi-value evaluation information related to an information security state related to the Web site by executing the information security audit process for the Web site;
When the user's terminal accesses the website and obtains the content or service, display information including the security level, which is the multi-value evaluation information, is displayed based on the audit result information. A website security information display system, comprising: a providing unit configured to perform processing to be displayed on a terminal screen. The website security information display system according to claim 1,
The second information processing system performs the process of creating the audit result information and storing the history by executing the information security audit process for the Web site at every predetermined periodic timing. A website security information display system characterized by: The website security information display system according to claim 1,
When the user's terminal accesses the website and obtains the content or service, the second information processing system indicates the quality of compensation in the event of a problem associated with the website. A website security information display system characterized in that display information including information or insurance information indicating the information is displayed on a screen of the user terminal. The website security information display system according to claim 1,
The second information processing system includes:
When the user's terminal accesses the Web site and obtains the content or service, based on the audit result information, in addition to the security level that is the multilevel evaluation information, the security status A website security information display system, characterized in that display information including binary evaluation information indicating OK or NG is displayed on a screen of the user's terminal. The website security information display system according to claim 1,
By communicating between a web browser provided in the user terminal and a server provided in the second information processing system,
When the user's terminal accesses the website and obtains the content or service, the web browser communicates with the server of the second information processing system to determine the information security status of the website A Web site security information display system, characterized in that display information including a security level, which is multi-valued evaluation information, is displayed on the screen. In the website security information display system according to any one of claims 1 to 6,
The Web site security information display system, wherein the display information includes a predetermined image displayed in a Web page of the target Web site. The website security information display system according to claim 1,
The second information processing system displays, on the terminal screen, detailed information related to the information security audit result related to the target website, triggered by the user's operation on the display information displayed on the terminal screen. A website security information display system characterized in that the processing is performed. In the website security information display system according to claim 1 or 6,
The terminal displays a Web page acquired from the Web site on a screen, and then the display information acquired from the second information processing system is triggered by the user operation on the Web page. Is displayed in the Web page. A Web site security information display system characterized by: In the website security information display system according to claim 1 or 6,
The terminal displays a Web page acquired from the Web site on a screen and automatically displays the display information acquired from the second information processing system in the Web page. Web site security information display system. The website security information display system according to claim 1,
The website security information display system characterized in that the item of the audit by the second information processing system includes a login method between the terminal and the website. The website security information display system according to claim 1,
The website security information display system characterized in that the number of contents provided by the website is included as an item of the audit by the second information processing system.