ASIDE: IDE support for web application security

ACM International Conference Proceeding Series

Volumn , Issue , 2011, Pages 267-276

  Xie, Jing ^a   Chu, Bill ^a   Lipford, Heather Richter ^a   Melton, John T ^a  

^a University of North Carolina at Charlotte   (United States)

Author keywords

Application security; Interactive support; Secure programming; Secure software development

Indexed keywords

APPLICATION SECURITY; AUTOMATED ANALYSIS; EVALUATION RESULTS; INTEGRATED DEVELOPMENT ENVIRONMENT; PLUG-INS; PROOF OF CONCEPT; SECURE PROGRAMMING; SECURE SOFTWARE DEVELOPMENT; SOFTWARE DEVELOPER; SOFTWARE SECURITY; SOFTWARE VULNERABILITIES; WEB APPLICATION SECURITY; WEB APPLICATION VULNERABILITY;

COMPUTER APPLICATIONS; COMPUTER SOFTWARE; SECURITY SYSTEMS; SOFTWARE DESIGN; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 84855693683     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2076732.2076770     Document Type: Conference Paper

References (38)

1. S. Ardi, D. Byers, P. H. Meland, I. A. Tondel, and N. Shahmehri. How can the developer benefit from security modeling? In The Second International Conference on Availability, Reliability and Security, 2007, pages 1017 -1025, april 2007. (Pubitemid 47304316)
2. Atlas.ti. Atlas.ti, 2011. www.atlasti.com.
3. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 387-401. IEEE Computer Society, 2008.
4. M. Bishop and B. J. Orvis. A clinic to teach good programming practices. In Proceedings from the Tenth Colloquium on Information Systems Security Education, pages 168-174, June 2006.
5. CERT. CERT Secure Coding, 2011. www.cert.org/secure-coding.
6. A. Chaudhuri and J. S. Foster. Symbolic security analysis of ruby-on-rails web applications. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 585-594. ACM, 2010.
7. B. Chess and G. McGraw. Static analysis for security. IEEE Security and Privacy, 2:76-79, November 2004. (Pubitemid 40010916)
8. B. Chess and J. West. Secure programming with static analysis. Addison-Wesley Professional, first edition, 2007.
9. V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX conference on Security, USENIX Security'10, pages 10-10. USENIX Association, 2010.
10. X. Fu and K. Qian. Safeli: Sql injection scanner using symbolic execution. In Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications, TAV-WEB '08, pages 34-39. ACM, 2008.
11. B. C. G. McGraw and S. Migues. Building security in maturity model, 2011. www.bsimm2.com.
12. M. Hafiz, P. Adamczyk, and R. Johnson. Systematically eradicating data injection attacks using security-oriented program transformations. In Proceedings of the 1st International Symposium on Engineering Secure Software and Systems, ESSoS '09, pages 75-90. Springer-Verlag, 2009.
13. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW '04, pages 40-52. ACM, 2004. (Pubitemid 40752739)
14. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and S.-Y. Kuo. Verifying web applications using bounded model checking. In Proceedings of the 2004 International Conference on Dependable Systems and Networks, pages 199-, Washington, DC, USA, 2004. IEEE Computer Society.
15. Inqscribe. Inqscribe, 2011. www.inqscribe.com.
16. S. Institute. SANS Institute, 2011. www.sans.org.
17. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: a static analysis tool for detecting web application vulnerabilities. In Security and Privacy, 2006 IEEE Symposium on, pages 6 pp. -263, may 2006.
18. K. Karppinen, L. Yonkwa, and M. Lindvall. Why developers insert security vulnerabilities into their code. In Proceedings of the 2009 Second International Conferences on Advances in Computer-Human Interactions, ACHI '09, pages 289-294. IEEE Computer Society, 2009.
19. D. E. Knuth. The errors of tex. Softw. Pract. Exper., 19:607-685, July 1989.
20. A. J. Ko and B. A. Myers. A framework and methodology for studying the causes of software errors in programming systems. J. Vis. Lang. Comput., 16:41-84, February 2005. (Pubitemid 40262413)
21. V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271-286, August 2005.
22. M. Martin and M. S. Lam. Automatic generation of xss and sql injection attacks with goal-directed model checking. In Proceedings of the 17th conference on Security symposium, pages 31-43. USENIX Association, 2008.
23. M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In OOPSLA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications, pages 365-383, 2005.
24. Microsoft. Microsoft SAL Annotations, 2011. http: //msdn.microsoft.com/ en-us/library/ms235402.aspx.
25. Moodle. Moodle, 2011. http://moodle.org.
26. Moodle. MSA-08-0013, 2011. http://moodle.org/mod/forum/discuss.php?d= 101405.
27. G. Naumovich and P. Centonze. Static analysis of role-based access control in j2ee applications. SIGSOFT Softw. Eng. Notes, 29:1-10, September 2004.
28. OWASP. ESAPI Validator API, 2011. http://owasp-esapi-java.googlecode.com/ svn/trunk\-doc/latest/org/owasp/esapi/Validator.html.
29. J. Reason. Human Error. Cambridge University Press, Cambridge, UK, 1990.
30. A. Roller. Apache Roller, 2011. http://roller.apache.org.
31. A. Roller. ROL-1766, 2011. https://issues.apache.org/jira/browse/ROL- 1766.
32. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. Technical Report UCB/EECS-2010-26, EECS Department, University of California, Berkeley, Mar 2010.
33. H. Sharp, Y. Rogers, and J. Preece. Interaction Design: Beyond Human-Computer Interaction. Wiley, 2 edition, 2007.
34. F. Software. Fortify SCA, 2011. https://www.fortify.com/products/ fortify360/source-code-analyzer.html.
35. B. Taylor and S. Azadegan. Moving beyond security tracks: integrating security in cs0 and cs1. In Proceedings of the 39th SIGCSE technical symposium on Computer science education, SIGCSE '08, pages 320-324. ACM, 2008.
36. VERACODE. State of Software Security Report Volume 1, 2, and 3, 2011. http://www.veracode.com/reports/index.html.
37. J. Xie, B. Chu, and H. R. Lipford. Idea: interactive support for secure software development. In Proceedings of the Third international conference on Engineering secure software and systems, ESSoS'11, pages 248-255. Springer-Verlag, 2011.
38. J. Xie, H. R. Lipford, and B. Chu. Why do programmers make security errors? In Proceedings of 2011 IEEE Symposium on Visual Languages and Human Centric Computing, pages 161-164, 2011.