Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring the Relationship Between Web Application Development Tools and Security Matthew Finifter and David Wagner University of California, Berkeley.

Published byMilton Lawrence Modified over 9 years ago

Similar presentations

Presentation on theme: "Exploring the Relationship Between Web Application Development Tools and Security Matthew Finifter and David Wagner University of California, Berkeley."— Presentation transcript:

1 Exploring the Relationship Between Web Application Development Tools and Security Matthew Finifter and David Wagner University of California, Berkeley

2 It’s a great time to be a developer! Languages PHPJ AVA R UBY P ERL P YTHON S CALA H ASKELL C OLD F USION … 2

3 It’s a great time to be a developer! LanguagesFrameworks Yii, ASP.NET, Zend, Struts, Django, Snap, GWT, RoR, Mason, Sinatra, CakePHP, Fusebox, Catalyst, Spring, Grails, Dancer, CodeIgniter, Tapestry, Pyjamas, Symfony PHPJ AVA R UBY P ERL P YTHON S CALA H ASKELL C OLD F USION … 3

4 It’s a great time to be a developer! LanguagesFrameworks Yii, ASP.NET, Zend, Struts, Django, Snap, GWT, RoR, Mason, Sinatra, CakePHP, Fusebox, Catalyst, Spring, Grails, Dancer, CodeIgniter, Tapestry, Pyjamas, Symfony PHPJ AVA R UBY P ERL P YTHON S CALA H ASKELL C OLD F USION … Object Relational Model (ORM) Framework Object Relational Model (ORM) Framework Templating Language Templating Language Libraries Libraries Vulnerability Remediation Tools or Services Vulnerability Remediation Tools or Services Client-side framework Client-side framework Meta-framework Meta-framework Content Management System (CMS) Content Management System (CMS) 4

5 Choice is great, but… How should a developer or project manager choose? How should a developer or project manager choose? Is there any observable difference between different tools we might choose? Is there any observable difference between different tools we might choose? What should you optimize for? What should you optimize for? How will you know you’ve made the right choices? How will you know you’ve made the right choices? We need meaningful comparisons between tools so that developers can make informed decisions. We need meaningful comparisons between tools so that developers can make informed decisions. 5

6 Talk Outline Introduction Introduction Goals Goals Methodology Methodology Results Results Conclusion and Future Work Conclusion and Future Work 6

7 Goals Encourage future work in this problem space Encourage future work in this problem space Introduce methodology for evaluating differences between tools Introduce methodology for evaluating differences between tools Evaluate security differences between different tools Evaluate security differences between different tools Programming Language Programming Language Web Application Development Framework Web Application Development Framework Process for Finding Vulnerabilities Process for Finding Vulnerabilities 7

8 Methodology Secondary data set from [Prechelt 2010] Secondary data set from [Prechelt 2010] Different groups of developers use different tools to implement the same functionality Different groups of developers use different tools to implement the same functionality Control for differences in specifications, human variability Control for differences in specifications, human variability Measure the security of the developed programs Measure the security of the developed programs Black-box penetration testing (Burp Suite Pro) Black-box penetration testing (Burp Suite Pro) Manual security review Manual security review Use statistical hypothesis testing to look for associations Use statistical hypothesis testing to look for associations 8

9 Limitations Experimental design Experimental design Only one security reviewer (me) Only one security reviewer (me) Application not necessarily representative Application not necessarily representative Small sample size Small sample size … and more (see the paper) … and more (see the paper) 9

10 Programming Language 3 Java teams, 3 Perl teams, 3 PHP teams 3 Java teams, 3 Perl teams, 3 PHP teams Look for association between programming language and: Look for association between programming language and: Total number of vulnerabilities found in the implementation Total number of vulnerabilities found in the implementation Number of vulnerabilities for each vulnerability class Number of vulnerabilities for each vulnerability class Main conclusion: 9 samples is too few to find these associations. Main conclusion: 9 samples is too few to find these associations. Maybe there is no association Maybe there is no association Maybe we need more data Maybe we need more data 10

11 Results: Total Vulnerabilities 11

12 Results: Stored XSS 12

13 Results: Reflected XSS 13

14 Results: SQL Injection 14

15 Results: Auth. Bypass 15

16 Results: “Binary” Vulnerabilities 16

17 Framework Support Different frameworks offer different features Different frameworks offer different features Taxonomy of framework support Taxonomy of framework support None None Manual Manual Opt-in Opt-in Opt-out Opt-out Always on Always on 17

18 Framework Support Labeled each (team number, vulnerability class) with a framework support level Labeled each (team number, vulnerability class) with a framework support level E.g., “team 4 had always-on CSRF protection” E.g., “team 4 had always-on CSRF protection” This data set allows us to consider association between level of framework support and vulnerabilities. This data set allows us to consider association between level of framework support and vulnerabilities. In other words, does a higher level of framework support help? In other words, does a higher level of framework support help? 18

19 Framework Support No associations found for XSS, SQL injection, auth. bypass, or secure password storage. No associations found for XSS, SQL injection, auth. bypass, or secure password storage. Statistically significant associations found for CSRF and session management. Statistically significant associations found for CSRF and session management. 19

20 Individual Vulnerability Data More data to shed light on frameworks More data to shed light on frameworks How far away from chosen tools to find framework support? How far away from chosen tools to find framework support? Framework used Framework used Newer version of framework used Newer version of framework used Another framework for language used Another framework for language used Some framework for some language Some framework for some language No known support No known support For both automatic and manual framework support For both automatic and manual framework support 20

21 Individual Vulnerability Data (Manual Support) 21

22 Individual Vulnerability Data (Automatic Support) 22

23 Method of Finding Vulnerabilities Automated black-box penetration testing Automated black-box penetration testing Manual source code review Manual source code review 23

24 Method of Finding Vulnerabilities 24

25 Results: Stored XSS 25

26 Results: Reflected XSS 26

27 Results: SQL Injection 27

28 Results: Auth. Bypass 28

29 Results: “Binary” Vulnerabilities 29

30 Related Work B AU ET AL. State of the Art: Automated Black-box Web Application Vulnerability Testing. B AU ET AL. State of the Art: Automated Black-box Web Application Vulnerability Testing. D OUPÉ ET AL. Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. D OUPÉ ET AL. Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. P RECHELT ET AL. Plat_Forms: A Web Development Platform Comparison by an Exploratory Experiment Searching for Emergent Platform Properties. P RECHELT ET AL. Plat_Forms: A Web Development Platform Comparison by an Exploratory Experiment Searching for Emergent Platform Properties. W AGNER ET AL. Comparing Bug Finding Tools with Reviews and Tests. W AGNER ET AL. Comparing Bug Finding Tools with Reviews and Tests. W ALDEN ET AL. Java vs. PHP: Security Implications of Language Choice for Web Applications. W ALDEN ET AL. Java vs. PHP: Security Implications of Language Choice for Web Applications. WhiteHat Website Security Statistic Report, 9 th Edition. WhiteHat Website Security Statistic Report, 9 th Edition. 30

31 Conclusion We should quantify our tools along various dimensions We should quantify our tools along various dimensions This study started (but did not finish!) that task for security This study started (but did not finish!) that task for security Language, framework, vulnerability-finding method Language, framework, vulnerability-finding method 31

32 Conclusion Web security is still hard; each implementation had at least one vulnerability. Web security is still hard; each implementation had at least one vulnerability. Level of framework support appears to influence security Level of framework support appears to influence security Manual framework support is ineffective Manual framework support is ineffective Manual code review more effective than black-box testing Manual code review more effective than black-box testing But they are complementary. But they are complementary. And they perform differently for different vulnerability classes And they perform differently for different vulnerability classes 32

33 Future Work Gathering and analyzing larger data sets Gathering and analyzing larger data sets Other dimensions: reliability, performance, maintainability, etc. Other dimensions: reliability, performance, maintainability, etc. Deeper understanding of why some tools fare better than others Deeper understanding of why some tools fare better than others Not just web applications! Not just web applications! 33

34 Thank you! Matthew Finifter finifter@cs.berkeley.edu 34

Download ppt "Exploring the Relationship Between Web Application Development Tools and Security Matthew Finifter and David Wagner University of California, Berkeley."

Similar presentations

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
The Geant4 physics validation repository

The Geant4 physics validation repository
The Jukebox Orian Paz & Yair Cleper Instructor: Viktor Kulikov Semester: Spring 2009 Final Presentation.

The Jukebox Orian Paz & Yair Cleper Instructor: Viktor Kulikov Semester: Spring 2009 Final Presentation.
HCI and Usability Issues of Multimedia Internet broadcasting Lecture 3.

HCI and Usability Issues of Multimedia Internet broadcasting Lecture 3.
CS 491B Project Web Galaxy Wendy Tan Web Galaxy Project Introduction Demo Analysis.

CS 491B Project Web Galaxy Wendy Tan Web Galaxy Project Introduction Demo Analysis.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
CMP3265 – Professional Issues and Research Methods Research Proposals: n Aims and objectives, Method, Evaluation n Yesterday – aims and objectives: clear,

CMP3265 – Professional Issues and Research Methods Research Proposals: n Aims and objectives, Method, Evaluation n Yesterday – aims and objectives: clear,
Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.

Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Company LOGO B2C E-commerce Web Site Quality: an Empirical Examination (Cao, et al) Article overview presented by: Karen Bray Emilie Martin Trung (John)

Company LOGO B2C E-commerce Web Site Quality: an Empirical Examination (Cao, et al) Article overview presented by: Karen Bray Emilie Martin Trung (John)
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Analysis for Dynamic Assessments Greg Patton | September 2014.

Static Analysis for Dynamic Assessments Greg Patton | September 2014.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Software Development Unit 6.

Software Development Unit 6.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
PRESENTED BY ESHWARI MENTE, NAVEEN DANTURI, AGASTHESWAR.

PRESENTED BY ESHWARI MENTE, NAVEEN DANTURI, AGASTHESWAR.
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Similar presentations

Ads by Google