Team for Research in
Ubiquitous Secure Technology

Exploring the Relationship Between Web Application Development Tools and Security
Matthew Finifter, David Wagner

Citation
Matthew Finifter, David Wagner. "Exploring the Relationship Between Web Application Development Tools and Security". Proceedings of the 2nd USENIX conference on Web application, Usenix, 2011.

Abstract
How should software engineers choose which tools to use to develop secure web applications? Different developers have different opinions regarding which language, framework, or vulnerability-finding tool tends to yield more secure software than another; some believe that there is no difference at all between such tools. This paper adds quantitative data to the discussion and debate. We use manual source code review and an automated black-box penetration testing tool to find security vulnerabilities in 9 implementations of the same web application in 3 different programming languages. We explore the relationship between programming languages and number of vulnerabilities, and between framework support for security concerns and the number of vulnerabilities. We also compare the vulnerabilities found by manual source code review and automated black-box penetration testing. Our findings are: (1) we do not find a relationship between choice of programming language and application security, (2) automatic framework protection mechanisms, such as for CSRF and session management, appear to be effective at precluding vulnerabilities, while manual protection mechanisms provide little value, and (3) manual source code review is more effective than automated black-box testing, but testing is complementary.

Electronic downloads

Citation formats  
  • HTML
    Matthew Finifter, David Wagner. <a
    href="http://www.truststc.org/pubs/851.html"
    >Exploring the Relationship Between Web Application
    Development Tools and Security</a>, Proceedings of the
    2nd USENIX conference on Web application, Usenix, 2011.
  • Plain text
    Matthew Finifter, David Wagner. "Exploring the
    Relationship Between Web Application Development Tools and
    Security". Proceedings of the 2nd USENIX conference on
    Web application, Usenix, 2011.
  • BibTeX
    @inproceedings{FinifterWagner11_ExploringRelationshipBetweenWebApplicationDevelopment,
        author = {Matthew Finifter and David Wagner},
        title = {Exploring the Relationship Between Web Application
                  Development Tools and Security},
        booktitle = {Proceedings of the 2nd USENIX conference on Web
                  application},
        organization = {Usenix},
        year = {2011},
        abstract = {How should software engineers choose which tools
                  to use to develop secure web applications?
                  Different developers have different opinions
                  regarding which language, framework, or
                  vulnerability-finding tool tends to yield more
                  secure software than another; some believe that
                  there is no difference at all between such tools.
                  This paper adds quantitative data to the
                  discussion and debate. We use manual source code
                  review and an automated black-box penetration
                  testing tool to find security vulnerabilities in 9
                  implementations of the same web application in 3
                  different programming languages. We explore the
                  relationship between programming languages and
                  number of vulnerabilities, and between framework
                  support for security concerns and the number of
                  vulnerabilities. We also compare the
                  vulnerabilities found by manual source code review
                  and automated black-box penetration testing. Our
                  findings are: (1) we do not find a relationship
                  between choice of programming language and
                  application security, (2) automatic framework
                  protection mechanisms, such as for CSRF and
                  session management, appear to be effective at
                  precluding vulnerabilities, while manual
                  protection mechanisms provide little value, and
                  (3) manual source code review is more effective
                  than automated black-box testing, but testing is
                  complementary.},
        URL = {http://www.truststc.org/pubs/851.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.