Matthew Finifter, David Wagner
Citation
Matthew Finifter, David Wagner. "Exploring the Relationship Between Web Application Development Tools and Security". Proceedings of the 2nd USENIX conference on Web application, Usenix, 2011.
Abstract
How should software engineers choose which tools to use to develop secure web applications? Different developers have different opinions regarding which language, framework, or vulnerability-finding tool tends to yield more secure software than another; some believe that there is no difference at all between such tools. This paper adds quantitative data to the discussion and debate.
We use manual source code review and an automated black-box penetration testing tool to find security vulnerabilities in 9 implementations of the same web application in 3 different programming languages. We explore the relationship between programming languages and number of vulnerabilities, and between framework support for security concerns and the number of vulnerabilities. We also compare the vulnerabilities found by manual source code review and automated black-box penetration testing.
Our findings are: (1) we do not find a relationship between choice of programming language and application security, (2) automatic framework protection mechanisms, such as for CSRF and session management, appear to be effective at precluding vulnerabilities, while manual protection mechanisms provide little value, and (3) manual source code review is more effective than automated black-box testing, but testing is complementary.
Electronic downloads
| Citation formats |
- HTML
Matthew Finifter, David Wagner. <a href="http://www.truststc.org/pubs/851.html" >Exploring the Relationship Between Web Application Development Tools and Security</a>, Proceedings of the 2nd USENIX conference on Web application, Usenix, 2011.
- Plain text
Matthew Finifter, David Wagner. "Exploring the Relationship Between Web Application Development Tools and Security". Proceedings of the 2nd USENIX conference on Web application, Usenix, 2011.
- BibTeX
@inproceedings{FinifterWagner11_ExploringRelationshipBetweenWebApplicationDevelopment, author = {Matthew Finifter and David Wagner}, title = {Exploring the Relationship Between Web Application Development Tools and Security}, booktitle = {Proceedings of the 2nd USENIX conference on Web application}, organization = {Usenix}, year = {2011}, abstract = {How should software engineers choose which tools to use to develop secure web applications? Different developers have different opinions regarding which language, framework, or vulnerability-finding tool tends to yield more secure software than another; some believe that there is no difference at all between such tools. This paper adds quantitative data to the discussion and debate. We use manual source code review and an automated black-box penetration testing tool to find security vulnerabilities in 9 implementations of the same web application in 3 different programming languages. We explore the relationship between programming languages and number of vulnerabilities, and between framework support for security concerns and the number of vulnerabilities. We also compare the vulnerabilities found by manual source code review and automated black-box penetration testing. Our findings are: (1) we do not find a relationship between choice of programming language and application security, (2) automatic framework protection mechanisms, such as for CSRF and session management, appear to be effective at precluding vulnerabilities, while manual protection mechanisms provide little value, and (3) manual source code review is more effective than automated black-box testing, but testing is complementary.}, URL = {http://www.truststc.org/pubs/851.html} }
Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.