Exploring the Relationship Between Web Application Development Tools and Security

Similar documents
Pentesting Web Frameworks (preview of next year's SEC642 update)

Web Application Frameworks. Robert M. Dondero, Ph.D. Princeton University

A benchmark approach to analyse the security of web frameworks

BEST WEB PROGRAMMING LANGUAGES TO LEARN ON YOUR OWN TIME

A Practical Comparison of Agile Web Frameworks

Choosing a Content Management System (CMS)

Web application testing

What s really under the hood? How I learned to stop worrying and love Magento

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

TechiesTown Infotech. Corporate Profile. Copyright 2015 by TechiesTown. All Rights Reserved

Performance Evaluation of PHP Frameworks (CakePHP and CodeIgniter) in relation to the Object-Relational Mapping, with respect to Load Testing

Requirements Design Implementation. Software Architectures. Components Software Component Architecture. DSSA: Domain-Specific Software Architectures

Web 2.0 Technology Overview. Lecture 8 GSL Peru 2014

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

(WAPT) Web Application Penetration Testing

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Django Web Framework. Zhaojie Zhang CSCI5828 Class Presenta=on 03/20/2012

Chapter 1 Web Application (In)security 1

How To Write A Web Application Vulnerability Scanner And Security Auditor

Web Frameworks. web development done right. Course of Web Technologies A.A. 2010/2011 Valerio Maggio, PhD Student Prof.

Pentesting With Burp Suite Taking the web back from automated scanners

Agile Codex. (A software development company) Company Overview. Agile Codex

Performing a Web Application Security Assessment

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Romulus, Java Web Development made productive.

WEB APPLICATION VULNERABILITY STATISTICS (2013)

Automatic vs. Manual Code Analysis

Web Cloud Architecture

Learning security through insecurity

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

2,000 Websites Later Which Web Programming Languages are Most Secure?

A Network Administrator s Guide to Web App Security

Background. HSBC DOD VA Masters in Computer Science Somerset Recon. Avid CTF Competitor

Attacking MongoDB. Firstov Mihail

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

DEVELOPING SECURE SOFTWARE

CSE 373: Data Structure & Algorithms Lecture 25: Programming Languages. Nicki Dell Spring 2014

How To Hack A Network With A Network Security Attack On A Web Browser (For A Free Download) (For Free) ( For A Free) On A Network) (On A Free Downloaded) (Or For A Paid Download) On An Ip

HackMiami Web Application Scanner 2013 PwnOff

WHITEPAPER. Nessus Exploit Integration

An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

A clustering Approach for Web Vulnerabilities Detection

Intrusion detection for web applications

Bringing Security Testing to Development. How to Enable Developers to Act as Security Experts

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

An approach to Web Application Penetration Testing. By: Whiskah

Secure development and the SDLC. Presented By Jerry

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Rapid Application Development. and Application Generation Tools. Walter Knesel

Carlos Muñoz Application Security Engineer WhiteHat

Effectiveness of Automated Application Penetration Testing Tools

Penetration Testing Lessons Learned. Security Research

Institutionen för datavetenskap

RED HAT SOFTWARE COLLECTIONS BRIDGING DEVELOPMENT AGILITY AND PRODUCTION STABILITY

Cyber Security Challenge Australia 2014

Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

Standards, Tools and Web 2.0

Pentests more than just using the proper tools

ABTO Software PHP Web Development Overview

2016 TRAINING CALENDAR

Stackato PaaS Architecture: How it works and why.

SENIOR WEB DEVELOPER

How To Burp David Brown

Ruby on Rails. Object Oriented Analysis & Design CSCI-5448 University of Colorado, Boulder. -Dheeraj Potlapally

Layers of Caching: Key to scaling your website. Lance Albertson -- Narayan Newton

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

The AppSec How-To: Achieving Security in DevOps

Our mission. The team at Jazzros has as its main object to provide such services which will be the basis for clients' successful business.

Online Vulnerability Scanner Quick Start Guide

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Penetration Testing: Lessons from the Field

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Adobe Systems Incorporated

Tech Radar - May 2015

Kristof Goossens. Personal Information. Summary. Name: Kristof Goossens. Date of Birth: 15 November Place of residence: Wemmel

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Transcription:

Exploring the Relationship Between Web Application Development Tools and Security Matthew Finifter and David Wagner University of California, Berkeley

It s a great time to be a developer! Languages PHP JAVA RUBY PERL PYTHON SCALA HASKELL COLD FUSION 2

It s a great time to be a developer! Languages PHP JAVA RUBY PERL PYTHON SCALA COLD HASKELL FUSION Frameworks Yii, ASP.NET, Zend, Struts, Django, Snap, GWT, RoR, Mason, Sinatra, CakePHP, Fusebox, Catalyst, Spring, Grails, Dancer, CodeIgniter, Tapestry, Pyjamas, Symfony 3

It s a great time to be a developer! Languages PHP JAVA RUBY PERL PYTHON SCALA COLD HASKELL FUSION Frameworks Yii, ASP.NET, Zend, Struts, Django, Snap, GWT, RoR, Mason, Sinatra, CakePHP, Fusebox, Catalyst, Spring, Grails, Dancer, CodeIgniter, Tapestry, Pyjamas, Symfony Object Relational Model (ORM) Framework Client-side framework Templating Language Libraries Meta-framework Content Management System (CMS) Vulnerability Remediation Tools or Services 4

Choice is great, but How should a developer or project manager choose? Is there any observable difference between different tools we might choose? What should you optimize for? How will you know you ve made the right choices? We need meaningful comparisons between tools so that developers can make informed decisions. 5

Talk Outline Introduction Goals Methodology Results Conclusion and Future Work 6

Goals Encourage future work in this problem space Introduce methodology for evaluating differences between tools Evaluate security differences between different tools Programming Language Web Application Development Framework Process for Finding Vulnerabilities 7

Methodology Secondary data set from [Prechelt 2010] Different groups of developers use different tools to implement the same functionality Control for differences in specifications, human variability Measure the security of the developed programs Black-box penetration testing (Burp Suite Pro) Manual security review Use statistical hypothesis testing to look for associations 8

Limitations Experimental design Only one security reviewer (me) Application not necessarily representative Small sample size and more (see the paper) 9

Programming Language 3 Java teams, 3 Perl teams, 3 PHP teams Look for association between programming language and: Total number of vulnerabilities found in the implementation Number of vulnerabilities for each vulnerability class Main conclusion: 9 samples is too few to find these associations. Maybe there is no association Maybe we need more data 10

Results: Total Vulnerabilities 11

Results: Stored XSS 12

Results: Reflected XSS 13

Results: SQL Injection 14

Results: Auth. Bypass 15

No. Vulnerable Implementa ons Results: Binary Vulnerabilities 3 2 1 0 CSRF Session Management Password Storage Perl Java PHP 16

Framework Support Different frameworks offer different features Taxonomy of framework support None Manual Opt-in Opt-out Always on 17

Framework Support Labeled each (team number, vulnerability class) with a framework support level E.g., team 4 had always-on CSRF protection This data set allows us to consider association between level of framework support and vulnerabilities. In other words, does a higher level of framework support help? 18

Framework Support No associations found for XSS, SQL injection, auth. bypass, or secure password storage. Statistically significant associations found for CSRF and session management. 19

Individual Vulnerability Data More data to shed light on frameworks How far away from chosen tools to find framework support? Framework used Newer version of framework used Another framework for language used Some framework for some language No known support For both automatic and manual framework support 20

Individual Vulnerability Data (Manual Support) 35 Where manual support exists to prevent vulnerabilities 30 25 20 15 10 Reflected XSS in JavaScript context No known framework Some fwk. for some language Diff. fwk. for language used Newer version of fwk. used Framework used 5 0 Java3 Java4 Java9 PHP6 PHP7 PHP8 Perl1 Perl2 Perl5 21

Individual Vulnerability Data (Automatic Support) 35 Where automatic support exists to prevent vulnerabilities 30 25 20 No known framework Some fwk. for some language Diff. fwk. for language used Newer version of fwk. used Framework used Authorization bypass 15 10 5 Reflected XSS in JavaScript context Authorization bypass Secure password storage 0 Java3 Java4 Java9 PHP6 PHP7 PHP8 Perl1 Perl2 Perl5 22

Method of Finding Vulnerabilities Automated black-box penetration testing Manual source code review 23

Method of Finding Vulnerabilities 20 19 52 Black-box Manual 24

Results: Stored XSS 25

Results: Reflected XSS 26

Results: SQL Injection 27

Results: Auth. Bypass 28

No. Vulnerable Implementa ons Results: Binary Vulnerabilities 3 2 1 0 CSRF Session Management Password Storage Perl Java PHP 29

Related Work BAU ET AL. State of the Art: Automated Black-box Web Application Vulnerability Testing. DOUPÉ ET AL. Why Johnny Can t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. PRECHELT ET AL. Plat_Forms: A Web Development Platform Comparison by an Exploratory Experiment Searching for Emergent Platform Properties. WAGNER ET AL. Comparing Bug Finding Tools with Reviews and Tests. WALDEN ET AL. Java vs. PHP: Security Implications of Language Choice for Web Applications. WhiteHat Website Security Statistic Report, 9 th Edition. 30

Conclusion We should quantify our tools along various dimensions This study started (but did not finish!) that task for security Language, framework, vulnerability-finding method 31

Conclusion Web security is still hard; each implementation had at least one vulnerability. Level of framework support appears to influence security Manual framework support is ineffective Manual code review more effective than black-box testing But they are complementary. And they perform differently for different vulnerability classes 32

Future Work Gathering and analyzing larger data sets Other dimensions: reliability, performance, maintainability, etc. Deeper understanding of why some tools fare better than others Not just web applications! 33

Thank you! Matthew Finifter finifter@cs.berkeley.edu 34

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information