Research Article
BibTex RIS Cite

Developer-oriented Web Security by Integrating Secure SDLC into IDEs

Year 2018, Volume: 1 Issue: 1, 36 - 44, 02.04.2018

Abstract

Enterprises and organizations have difficulties to protect their web-based services against cyber-attacks. Due to increasing number of cyber-attacks, critical data including customer data, patient data etc. are leaked and critical services like online banking become unavailable for long period of time. The studies of Gartner, OWASP, SANS and similar organizations have shown that today’s cyber-attacks target mostly application layer. This means that application developers design and implement insecure web applications and black-hat hackers exploit these security weaknesses to get unauthorized accesses to critical databases. Insecure development of web developers is still a big challenge to solve. The top one risk “SQL Injection” from OWASP Top 10 list can be given as a concrete example. This vulnerability was discovered 20 years ago, but web developers are still mostly unaware of its prevention methods. The weak communication between web developers and security experts is one of the main reasons of insecurely developed applications. Even though security experts have the knowledge of all preventions methods for all types of security vulnerabilities, they are insufficient to transfer this knowledge to web developers. Secure software development lifecycles methodologies like Microsoft SDL, OpenSAMM, BSIMM have been also proposed in order to integrate required security activities into all phases of software development. But the security activities required by these methodologies are not integrated within development environments and therefore secure coding awareness of developers cannot be efficiently achieved. In this paper, we suggest new methods and discuss open academic research issues for integration of secure SDLC activities including secure coding practices and secure architecture patterns into development IDEs (Integrated Development Environments). Providing this, web developers can access to secure coding procedures and best-practices directly within their IDEs, increase their security awareness and develop more secure applications. As a result, the numbers of security vulnerabilities would drastically decrease and critical data leakages can be prevented.

References

  • Adebiyi, A., Arreymbi, J., Imafidon, C. 2012. "Applicability of Neural Networks to Software Security", 14th International Conference on Computer Modelling and Simulation, 19-24.
  • Bilge, L., Dumitras, T. 2012. “Before We Knew It: an Empirical Study of Zero-Day Attacks in the Real World”, Proceedings of the 2012 ACM Conference on Computer and Communications Security -- CCS’12, 833–844.
  • BLV, “Business logic vulnerability”. https://www.owasp.org/index.php/Business_logic_vulnerability, August 2015.
  • BSIMM (The Building Security In Maturity Model) v8, https://www.bsimm.com/, September 2017.
  • Hackmageddon – Cyber Attacks Timelines and Statistics, http://hackmageddon.com, 2018.
  • Jürjens, J. 2004. Secure Systems Development with UML. Springer-Verlag.
  • Lodderstedt, T., Basin, D.A., Doser, J. 2002. "SecureUML: A UML-Based Modeling Language for Model Driven Security," In Proceedings of the 5th International Conference on the Unified Modelling Language, 426-441.
  • Microsoft SDL, https://www.microsoft.com/en-us/sdl, 2010.
  • Mouratidis, H., Giorgini, P. 2007. "Security attack testing (SAT)- testing the security of information systems at design time", Information Systems, Vol. 32, 1166-1183.
  • OpenSAMM (Software Assurance Maturity Model) v1.5, http://www.opensamm.org/, 13 April 2017.
  • Othmane, L.B., Angin, P., Weffers, H., Bhargava, B. 2014. "Extending the Agile Development Approach to Develop Acceptably Secure Software", Dependable and Secure Computing, IEEE Transactions on , vol.PP, no.99, 497 - 509.
  • OWASP-Top10 Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2017.
  • Saini, V., Duan, Q., and Paruchuri, V. 2008. “Threat modeling using attack trees”. Journal of Computing Sciences in Colleges (APRIL), 124–131.
  • SANS, “25 Most Dangerous Software Errors v3”. https://www.sans.org/top25-software-errors/, June 2011. Schneier Bruce, “The Process of Security”, http://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html, April 2000.
  • Talukder, AK., Maurya, V.K., Santhosh, B.G., Jangam, E., Muni, S.V., Jevitha, K. P., Saurabh, S., Pais, AR. 2009. "Security-aware Software Development Life Cycle (SaSDLC) - Processes and tools," Wireless and Optical Communications Networks.
  • Tatli Emin İslam and Urgun Bedirhan, Ccrawl-a thick client helping security static code review processes, https://github.com/agguvenligi/ccrawl, October 2013.
  • Thuraisingham, B., Hamlen, K.W. 2010. "Challenges and Future Directions of Software Technology: Secure Software Development", IEEE Computer Software and Applications Conference (COMPSAC), 17-20.
  • Zenah, N.H.Z., Aziz, N.A 2011. "Secure coding in software development," Software Engineering (MySEC) 5th Malaysian Conference, 458-464.
Year 2018, Volume: 1 Issue: 1, 36 - 44, 02.04.2018

Abstract

References

  • Adebiyi, A., Arreymbi, J., Imafidon, C. 2012. "Applicability of Neural Networks to Software Security", 14th International Conference on Computer Modelling and Simulation, 19-24.
  • Bilge, L., Dumitras, T. 2012. “Before We Knew It: an Empirical Study of Zero-Day Attacks in the Real World”, Proceedings of the 2012 ACM Conference on Computer and Communications Security -- CCS’12, 833–844.
  • BLV, “Business logic vulnerability”. https://www.owasp.org/index.php/Business_logic_vulnerability, August 2015.
  • BSIMM (The Building Security In Maturity Model) v8, https://www.bsimm.com/, September 2017.
  • Hackmageddon – Cyber Attacks Timelines and Statistics, http://hackmageddon.com, 2018.
  • Jürjens, J. 2004. Secure Systems Development with UML. Springer-Verlag.
  • Lodderstedt, T., Basin, D.A., Doser, J. 2002. "SecureUML: A UML-Based Modeling Language for Model Driven Security," In Proceedings of the 5th International Conference on the Unified Modelling Language, 426-441.
  • Microsoft SDL, https://www.microsoft.com/en-us/sdl, 2010.
  • Mouratidis, H., Giorgini, P. 2007. "Security attack testing (SAT)- testing the security of information systems at design time", Information Systems, Vol. 32, 1166-1183.
  • OpenSAMM (Software Assurance Maturity Model) v1.5, http://www.opensamm.org/, 13 April 2017.
  • Othmane, L.B., Angin, P., Weffers, H., Bhargava, B. 2014. "Extending the Agile Development Approach to Develop Acceptably Secure Software", Dependable and Secure Computing, IEEE Transactions on , vol.PP, no.99, 497 - 509.
  • OWASP-Top10 Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2017.
  • Saini, V., Duan, Q., and Paruchuri, V. 2008. “Threat modeling using attack trees”. Journal of Computing Sciences in Colleges (APRIL), 124–131.
  • SANS, “25 Most Dangerous Software Errors v3”. https://www.sans.org/top25-software-errors/, June 2011. Schneier Bruce, “The Process of Security”, http://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html, April 2000.
  • Talukder, AK., Maurya, V.K., Santhosh, B.G., Jangam, E., Muni, S.V., Jevitha, K. P., Saurabh, S., Pais, AR. 2009. "Security-aware Software Development Life Cycle (SaSDLC) - Processes and tools," Wireless and Optical Communications Networks.
  • Tatli Emin İslam and Urgun Bedirhan, Ccrawl-a thick client helping security static code review processes, https://github.com/agguvenligi/ccrawl, October 2013.
  • Thuraisingham, B., Hamlen, K.W. 2010. "Challenges and Future Directions of Software Technology: Secure Software Development", IEEE Computer Software and Applications Conference (COMPSAC), 17-20.
  • Zenah, N.H.Z., Aziz, N.A 2011. "Secure coding in software development," Software Engineering (MySEC) 5th Malaysian Conference, 458-464.
There are 18 citations in total.

Details

Primary Language English
Subjects Computer Software
Journal Section Articles
Authors

Emin İslam Tatlı

Publication Date April 2, 2018
Submission Date March 17, 2018
Acceptance Date March 30, 2018
Published in Issue Year 2018Volume: 1 Issue: 1

Cite

IEEE E. İ. Tatlı, “Developer-oriented Web Security by Integrating Secure SDLC into IDEs”, SAUCIS, vol. 1, no. 1, pp. 36–44, 2018.

29070    The papers in this journal are licensed under a Creative Commons Attribution-NonCommercial 4.0 International License