Öz
Enterprises and organizations have difficulties to protect their web-based services against cyber-attacks. Due to increasing number of cyber-attacks, critical data including customer data, patient data etc. are leaked and critical services like online banking become unavailable for long period of time. The studies of Gartner, OWASP, SANS and similar organizations have shown that today’s cyber-attacks target mostly application layer. This means that application developers design and implement insecure web applications and black-hat hackers exploit these security weaknesses to get unauthorized accesses to critical databases. Insecure development of web developers is still a big challenge to solve. The top one risk “SQL Injection” from OWASP Top 10 list can be given as a concrete example. This vulnerability was discovered 20 years ago, but web developers are still mostly unaware of its prevention methods. The weak communication between web developers and security experts is one of the main reasons of insecurely developed applications. Even though security experts have the knowledge of all preventions methods for all types of security vulnerabilities, they are insufficient to transfer this knowledge to web developers. Secure software development lifecycles methodologies like Microsoft SDL, OpenSAMM, BSIMM have been also proposed in order to integrate required security activities into all phases of software development. But the security activities required by these methodologies are not integrated within development environments and therefore secure coding awareness of developers cannot be efficiently achieved. In this paper, we suggest new methods and discuss open academic research issues for integration of secure SDLC activities including secure coding practices and secure architecture patterns into development IDEs (Integrated Development Environments). Providing this, web developers can access to secure coding procedures and best-practices directly within their IDEs, increase their security awareness and develop more secure applications. As a result, the numbers of security vulnerabilities would drastically decrease and critical data leakages can be prevented.
Anahtar Kelimeler
Kaynakça
- Adebiyi, A., Arreymbi, J., Imafidon, C. 2012. "Applicability of Neural Networks to Software Security", 14th International Conference on Computer Modelling and Simulation, 19-24.
- Bilge, L., Dumitras, T. 2012. “Before We Knew It: an Empirical Study of Zero-Day Attacks in the Real World”, Proceedings of the 2012 ACM Conference on Computer and Communications Security -- CCS’12, 833–844.
- BLV, “Business logic vulnerability”. https://www.owasp.org/index.php/Business_logic_vulnerability, August 2015.
- BSIMM (The Building Security In Maturity Model) v8, https://www.bsimm.com/, September 2017.
- Hackmageddon – Cyber Attacks Timelines and Statistics, http://hackmageddon.com, 2018.
- Jürjens, J. 2004. Secure Systems Development with UML. Springer-Verlag.
- Lodderstedt, T., Basin, D.A., Doser, J. 2002. "SecureUML: A UML-Based Modeling Language for Model Driven Security," In Proceedings of the 5th International Conference on the Unified Modelling Language, 426-441.
- Microsoft SDL, https://www.microsoft.com/en-us/sdl, 2010.
- Mouratidis, H., Giorgini, P. 2007. "Security attack testing (SAT)- testing the security of information systems at design time", Information Systems, Vol. 32, 1166-1183.
- OpenSAMM (Software Assurance Maturity Model) v1.5, http://www.opensamm.org/, 13 April 2017.
- Othmane, L.B., Angin, P., Weffers, H., Bhargava, B. 2014. "Extending the Agile Development Approach to Develop Acceptably Secure Software", Dependable and Secure Computing, IEEE Transactions on , vol.PP, no.99, 497 - 509.
- OWASP-Top10 Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2017.
- Saini, V., Duan, Q., and Paruchuri, V. 2008. “Threat modeling using attack trees”. Journal of Computing Sciences in Colleges (APRIL), 124–131.
- SANS, “25 Most Dangerous Software Errors v3”. https://www.sans.org/top25-software-errors/, June 2011. Schneier Bruce, “The Process of Security”, http://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html, April 2000.
- Talukder, AK., Maurya, V.K., Santhosh, B.G., Jangam, E., Muni, S.V., Jevitha, K. P., Saurabh, S., Pais, AR. 2009. "Security-aware Software Development Life Cycle (SaSDLC) - Processes and tools," Wireless and Optical Communications Networks.
- Tatli Emin İslam and Urgun Bedirhan, Ccrawl-a thick client helping security static code review processes, https://github.com/agguvenligi/ccrawl, October 2013.
- Thuraisingham, B., Hamlen, K.W. 2010. "Challenges and Future Directions of Software Technology: Secure Software Development", IEEE Computer Software and Applications Conference (COMPSAC), 17-20.
- Zenah, N.H.Z., Aziz, N.A 2011. "Secure coding in software development," Software Engineering (MySEC) 5th Malaysian Conference, 458-464.
Öz
Kaynakça
- Adebiyi, A., Arreymbi, J., Imafidon, C. 2012. "Applicability of Neural Networks to Software Security", 14th International Conference on Computer Modelling and Simulation, 19-24.
- Bilge, L., Dumitras, T. 2012. “Before We Knew It: an Empirical Study of Zero-Day Attacks in the Real World”, Proceedings of the 2012 ACM Conference on Computer and Communications Security -- CCS’12, 833–844.
- BLV, “Business logic vulnerability”. https://www.owasp.org/index.php/Business_logic_vulnerability, August 2015.
- BSIMM (The Building Security In Maturity Model) v8, https://www.bsimm.com/, September 2017.
- Hackmageddon – Cyber Attacks Timelines and Statistics, http://hackmageddon.com, 2018.
- Jürjens, J. 2004. Secure Systems Development with UML. Springer-Verlag.
- Lodderstedt, T., Basin, D.A., Doser, J. 2002. "SecureUML: A UML-Based Modeling Language for Model Driven Security," In Proceedings of the 5th International Conference on the Unified Modelling Language, 426-441.
- Microsoft SDL, https://www.microsoft.com/en-us/sdl, 2010.
- Mouratidis, H., Giorgini, P. 2007. "Security attack testing (SAT)- testing the security of information systems at design time", Information Systems, Vol. 32, 1166-1183.
- OpenSAMM (Software Assurance Maturity Model) v1.5, http://www.opensamm.org/, 13 April 2017.
- Othmane, L.B., Angin, P., Weffers, H., Bhargava, B. 2014. "Extending the Agile Development Approach to Develop Acceptably Secure Software", Dependable and Secure Computing, IEEE Transactions on , vol.PP, no.99, 497 - 509.
- OWASP-Top10 Project, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2017.
- Saini, V., Duan, Q., and Paruchuri, V. 2008. “Threat modeling using attack trees”. Journal of Computing Sciences in Colleges (APRIL), 124–131.
- SANS, “25 Most Dangerous Software Errors v3”. https://www.sans.org/top25-software-errors/, June 2011. Schneier Bruce, “The Process of Security”, http://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html, April 2000.
- Talukder, AK., Maurya, V.K., Santhosh, B.G., Jangam, E., Muni, S.V., Jevitha, K. P., Saurabh, S., Pais, AR. 2009. "Security-aware Software Development Life Cycle (SaSDLC) - Processes and tools," Wireless and Optical Communications Networks.
- Tatli Emin İslam and Urgun Bedirhan, Ccrawl-a thick client helping security static code review processes, https://github.com/agguvenligi/ccrawl, October 2013.
- Thuraisingham, B., Hamlen, K.W. 2010. "Challenges and Future Directions of Software Technology: Secure Software Development", IEEE Computer Software and Applications Conference (COMPSAC), 17-20.
- Zenah, N.H.Z., Aziz, N.A 2011. "Secure coding in software development," Software Engineering (MySEC) 5th Malaysian Conference, 458-464.
Ayrıntılar
| Birincil Dil | İngilizce |
|---|---|
| Konular | Bilgisayar Yazılımı |
| Bölüm | Makaleler |
| Yazarlar | |
| Yayımlanma Tarihi | 2 Nisan 2018 |
| Gönderilme Tarihi | 17 Mart 2018 |
| Kabul Tarihi | 30 Mart 2018 |
| Yayımlandığı Sayı | Yıl 2018Cilt: 1 Sayı: 1 |
Sakarya University Journal of Computer and Information Sciences in Applied Sciences and Engineering: An interdisciplinary journal of information science