Developer-oriented Web Security by Integrating Secure SDLC into IDEs

Emin İslam Tatlı

EN

Developer-oriented Web Security by Integrating Secure SDLC into IDEs

Abstract

Enterprises and organizations have difficulties to protect their web-based services against cyber-attacks. Due to increasing number of cyber-attacks, critical data including customer data, patient data etc. are leaked and critical services like online banking become unavailable for long period of time. The studies of Gartner, OWASP, SANS and similar organizations have shown that today’s cyber-attacks target mostly application layer. This means that application developers design and implement insecure web applications and black-hat hackers exploit these security weaknesses to get unauthorized accesses to critical databases. Insecure development of web developers is still a big challenge to solve. The top one risk “SQL Injection” from OWASP Top 10 list can be given as a concrete example. This vulnerability was discovered 20 years ago, but web developers are still mostly unaware of its prevention methods. The weak communication between web developers and security experts is one of the main reasons of insecurely developed applications. Even though security experts have the knowledge of all preventions methods for all types of security vulnerabilities, they are insufficient to transfer this knowledge to web developers. Secure software development lifecycles methodologies like Microsoft SDL, OpenSAMM, BSIMM have been also proposed in order to integrate required security activities into all phases of software development. But the security activities required by these methodologies are not integrated within development environments and therefore secure coding awareness of developers cannot be efficiently achieved. In this paper, we suggest new methods and discuss open academic research issues for integration of secure SDLC activities including secure coding practices and secure architecture patterns into development IDEs (Integrated Development Environments). Providing this, web developers can access to secure coding procedures and best-practices directly within their IDEs, increase their security awareness and develop more secure applications. As a result, the numbers of security vulnerabilities would drastically decrease and critical data leakages can be prevented.

Keywords

secure coding,secure software development,secure SDLC

References

Adebiyi, A., Arreymbi, J., Imafidon, C. 2012. "Applicability of Neural Networks to Software Security", 14th International Conference on Computer Modelling and Simulation, 19-24.
Bilge, L., Dumitras, T. 2012. “Before We Knew It: an Empirical Study of Zero-Day Attacks in the Real World”, Proceedings of the 2012 ACM Conference on Computer and Communications Security -- CCS’12, 833–844.
BLV, “Business logic vulnerability”. https://www.owasp.org/index.php/Business_logic_vulnerability, August 2015.
BSIMM (The Building Security In Maturity Model) v8, https://www.bsimm.com/, September 2017.
Hackmageddon – Cyber Attacks Timelines and Statistics, http://hackmageddon.com, 2018.
Jürjens, J. 2004. Secure Systems Development with UML. Springer-Verlag.
Lodderstedt, T., Basin, D.A., Doser, J. 2002. "SecureUML: A UML-Based Modeling Language for Model Driven Security," In Proceedings of the 5th International Conference on the Unified Modelling Language, 426-441.
Microsoft SDL, https://www.microsoft.com/en-us/sdl, 2010.

Mouratidis, H., Giorgini, P. 2007. "Security attack testing (SAT)- testing the security of information systems at design time", Information Systems, Vol. 32, 1166-1183.
OpenSAMM (Software Assurance Maturity Model) v1.5, http://www.opensamm.org/, 13 April 2017.
Othmane, L.B., Angin, P., Weffers, H., Bhargava, B. 2014. "Extending the Agile Development Approach to Develop Acceptably Secure Software", Dependable and Secure Computing, IEEE Transactions on , vol.PP, no.99, 497 - 509.
OWASP-Top10 Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2017.
Saini, V., Duan, Q., and Paruchuri, V. 2008. “Threat modeling using attack trees”. Journal of Computing Sciences in Colleges (APRIL), 124–131.
SANS, “25 Most Dangerous Software Errors v3”. https://www.sans.org/top25-software-errors/, June 2011. Schneier Bruce, “The Process of Security”, http://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html, April 2000.
Talukder, AK., Maurya, V.K., Santhosh, B.G., Jangam, E., Muni, S.V., Jevitha, K. P., Saurabh, S., Pais, AR. 2009. "Security-aware Software Development Life Cycle (SaSDLC) - Processes and tools," Wireless and Optical Communications Networks.
Tatli Emin İslam and Urgun Bedirhan, Ccrawl-a thick client helping security static code review processes, https://github.com/agguvenligi/ccrawl, October 2013.
Thuraisingham, B., Hamlen, K.W. 2010. "Challenges and Future Directions of Software Technology: Secure Software Development", IEEE Computer Software and Applications Conference (COMPSAC), 17-20.
Zenah, N.H.Z., Aziz, N.A 2011. "Secure coding in software development," Software Engineering (MySEC) 5th Malaysian Conference, 458-464.

Details

Primary Language

English

Subjects

Computer Software

Journal Section

Research Article

Authors

Emin İslam Tatlı
Türkiye

Publication Date

April 2, 2018

Submission Date

March 17, 2018

Acceptance Date

March 30, 2018

Published in Issue

Year 2018 Volume: 1 Number: 1

IZ

https://izlik.org/JA48RM26HG

Cite

RIS / Bibtex

APA

Tatlı, E. İ. (2018). Developer-oriented Web Security by Integrating Secure SDLC into IDEs. Sakarya University Journal of Computer and Information Sciences, 1(1), 36-44. https://izlik.org/JA48RM26HG

AMA

1.Tatlı Eİ. Developer-oriented Web Security by Integrating Secure SDLC into IDEs. SAUCIS. 2018;1(1):36-44. https://izlik.org/JA48RM26HG

Chicago

Tatlı, Emin İslam. 2018. “Developer-Oriented Web Security by Integrating Secure SDLC into IDEs”. Sakarya University Journal of Computer and Information Sciences 1 (1): 36-44. https://izlik.org/JA48RM26HG.

EndNote

Tatlı Eİ (April 1, 2018) Developer-oriented Web Security by Integrating Secure SDLC into IDEs. Sakarya University Journal of Computer and Information Sciences 1 1 36–44.

IEEE

[1]E. İ. Tatlı, “Developer-oriented Web Security by Integrating Secure SDLC into IDEs”, SAUCIS, vol. 1, no. 1, pp. 36–44, Apr. 2018, [Online]. Available: https://izlik.org/JA48RM26HG

ISNAD

Tatlı, Emin İslam. “Developer-Oriented Web Security by Integrating Secure SDLC into IDEs”. Sakarya University Journal of Computer and Information Sciences 1/1 (April 1, 2018): 36-44. https://izlik.org/JA48RM26HG.

JAMA

1.Tatlı Eİ. Developer-oriented Web Security by Integrating Secure SDLC into IDEs. SAUCIS. 2018;1:36–44.

MLA

Tatlı, Emin İslam. “Developer-Oriented Web Security by Integrating Secure SDLC into IDEs”. Sakarya University Journal of Computer and Information Sciences, vol. 1, no. 1, Apr. 2018, pp. 36-44, https://izlik.org/JA48RM26HG.

Vancouver

1.Emin İslam Tatlı. Developer-oriented Web Security by Integrating Secure SDLC into IDEs. SAUCIS [Internet]. 2018 Apr. 1;1(1):36-44. Available from: https://izlik.org/JA48RM26HG