The use of strong Web-application architecture with strong development Declarative Security Configurations for the Java EE platform based web- applications. Your experience with web development? Your experience with implementing security? Have you used Java EE 6,. Spring Security or Apache. Shiro? What do . The Open Web Application Security Project (OWASP). All Rights Threat Risk Modeling is the most important mitigation development in web application . Uses the Java language to produce fast applications (nearly as fast as C++ caite.info
|Language:||English, Spanish, Indonesian|
|ePub File Size:||25.54 MB|
|PDF File Size:||9.75 MB|
|Distribution:||Free* [*Regsitration Required]|
Encapsulating security requirements for web development with the Java programming platform, Secure Java: Highlighting state-of-the-art tools for web application security testing, it supplies valuable insight on how Download PDF MB. Secure Java For Web Application Development BOOkS On SOFTwARE AnD SYSTEMS DEvELOPMEnT AnD EnGInEERInGFROM AUERBACH. ORACLE FL / Iron-Clad Java: Building Secure Web Applications / Manico & Detlefsen / / FM. ® to integrate application security into each stage of the software development 1 caite.info .pdf.
Vulnerability density decreased in six projects and increased in the other eight projects over the period studied. At the end of the workshop, even prophylactic protection techniques and best practices like tokens, url encryption etc. As attendees assume both roles attacker's point of view as well as developer's defense point of view code-review and pentesting skills will be learned in addition to the defence strategies. There In addition to static analysis vulnerability density, we are several causes for the undercount: Lawrence Erlbaum
A more complete discussion of the issues in interpreting reported vulnerability statistics can be achievo obm roundcube found in . Static analysis has the mediawiki po advantage that it can be used as soon as code is available without requiring software installation. However, static and Table 1.
PHP Open Source Web Applications dynamic analysis tools may find different vulnerabilities, and both static and dynamic analysis results may include false positives, which are unlikely to occur in public vulner- To be selected, an application had to have a Subver- ability databases.
The fourteen applications studied were the only applica- We chose static analysis as the technique to measure vul- tions listed on freshmeat. We found an order of 25, to , lines. While some lyze, choosing the first change to be made during that week.
We wanted to section 8, the false positive rate is not high enough to re- observe the projects using identical time intervals, which duce the number of vulnerabilities found to the number of neither individual revisions nor official releases would have reported vulnerabilities.
We measured vulnerability density permitted. Additionally, a single revision typically involves using the static analysis vulnerability density SAVD met- the alteration of only two to three lines of code, rarely in- ric. Public releases reports.
Researchers at Microsoft found static analysis de- were too few and irregular in schedule to use for our analy- fect density to be an accurate predictor of pre-release defect sis. It is also important to note that since these projects have density .
We used the Fortify Source Code Analyzer public source repositories, users who need fixes immedi- version 5. Lines of code were mea- ately or who want features quickly frequently download and sured using the source lines of code SLOC metric, which use source code from the repository without waiting for an excludes blank lines and comments. We analyzed the number of vulnerabilities in each ap- While commercial static analysis tools have become plication by counting the number of vulnerabilities found more widely used in recent years, these tools are rarely used in an application.
While user input could reach a single in open source development due to their high cost. Open SQL injection vulnerability through multiple code paths, source static analysis tools are free, but we found only three the vulnerability is only counted once. There are multiple open source tools for PHP: None of these tools can serve as a replacement for ported vulnerabilities from a database such as the National a commercial static analysis tool.
There In addition to static analysis vulnerability density, we are several causes for the undercount: Churn is a measure of the size of changes be- The Common Vulnerabilities and Exposures CVE guide- tween versions, being the sum of the number of lines of lines, which are the source of most NVD vulnerabilities, re- code added and changed.
Nesting complexity counts the quire merging vulnerabilities of the same type in the same depth of nested conditionals and loops. Cyclomatic Com- version into a single entry .
Churn and number of deleted lines were computed from Subversion diffs by a custom Ruby script. Results Security problems identified by static analysis in the se- lected open source web applications decreased from Sum- mer to Summer Examining the aggregate code base of all fourteen web applications, we found vul- nerabilities in the initial set of revisions and vulnera- bilities in the final set of revisions.
At the same time, code size grew from , lines to 1,, lines.
The com- bined reduction in vulnerabilities and growth in code size produced a change in static analysis vulnerability density from 8. Figure 1. However, they are smaller than the average vulnerability density of The use of different languages and classes of applications is likely the cause of some of the difference between these results and ours.
The Coverity study used a different static analysis tool, which is another source of difference. Vulnerability density varied widely between projects, with initial revisions ranging from 0 to In the final set of revisions, variation in SAVD was smaller, ranging from 0. Vulnerability density decreased in six projects and increased in the other eight projects over the period studied. All of the projects except for two Time increased in size.
Figure 1 shows the change in vulnera- bility density between the initial and final revision for each project. Static analysis vulnerability density of projects did not projects merged libraries into their code bases, increasing correlate with the number of vulnerabilities reported in the code size dramatically with a single revision.
One of those National Vulnerability Database. The reasons for vulner- two projects, Achievo, merged the ATK project into the ability reports undercounting the number of vulnerabilities repository in January , increasing both code size and were discussed above.
However, the number of NVD vul- vulnerability density. Application code size and vulnerability count over fort to constructing exploits for widely deployed systems or time are shown in figure 2. The application dramatically vulnerability researchers preferring to analyze higher pro- decreased the number of vulnerabilities in a single revi- file software. Examination of Subversion com- The reasons for large changes in code size or vulnera- ments revealed that the entire process for handling input bility count were sometimes discernable from Subversion was changed, including the addition of new data sanitiza- log entries or diffs between revisions.
For example, two tion code in a single large revision. After that fix, the vulnerability count remained have the same complexity as a program consisting of a sin- constant despite many modifications and continual growth gle high complexity function. As Shin  found for Mozilla, we observed weak cor- relations with complexity metrics. Though weak, the cor- relations are statistically signficant, and the most promising 5.
Our results agree with previous Based on prior research [6, 16, 17, 18, 20, 22], we se- studies except for Nagappan and Ball , as we observed lected software metrics which had demonstrated correla- no significant correlation between churn and vulnerability tions to vulnerability or defect density.
These metrics are density. A possible reason for the difference is because churn, cyclomatic complexity, and nesting complexity. We Nagappan examined two official releases while we studied also examined revision number and SLOC, but these results weekly revisions. No previous study found a single We also computed correlations on a per project basis. Average CC is total CC divided and all significant negative correlations are in italics.
Max CC is the largest CC value for all functions in a project. The Spear- dotproject 0. For simplicity, the Cohen Scale  scale is obm Project SAVD and metric correlations This table illustrates the diversity of projects with respect to the individual metrics and indicates that caution should be used when using metrics to predict vulnerability densi- ties.
There are a large number of negatively correlated re- sults for all three metrics indicating they are a poor measure Figure 3.
Metric correlations with SAVD for the individual project. Maximum or average CC could be used as a weak indicator of security vulnerabilities. There are two metrics with significant negative correla- tions: TotalNest and TotalCC. These results indicate that as the metric value increases, the vulnerability density de- 6.
Vulnerability Type Analysis creases, or that as the value decreases, the vulnerability den- sity increases. Total complexity metrics, which sum the We examined the vulnerabilities by category. The tool can detect other types of vulnerabilities, the second most common vulnerability in the final revision. In order, these five types are cross-site scripting, SQL injec- tion, path manipulation, dangerous function, and dangerous file inclusion. Figure 4 shows the types. MITRE does not use the dangerous function category reported by Fortify and has buffer overflow as their fourth most common vul- While the overall count of vulnerabilities decreased from nerability type, which is not a flaw found in PHP applica- the initial to the final revision, only six of the thirteen cate- tions though it can occur in the PHP interpreter itself.
The six vulnerability types that decreased included the three most common types: Figure 6 shows the changes in vulnerability count for each category.
Figure 4. Initial Revision Types The distribution of types of flaws changed between the initial and final revisions. Cross-site script- Figure 6. The metric with the greatest number of medium correlations 0.
Figure 7 the value of this metric, the more security flaws existed for presents the change in SAVD for the fourteen projects di- the vulnerabilities listed in table 4. Dangerous File Inclusion 0. Vulnerability Types metrics evaluated here.
Large improvements can be seen in figure 7 for po, squir- relmail, and WordPress. These improvements were largely 7. Security Resource Indicator made through the elimination of SQL injection, path ma- nipulation, and cross-site scripting errors in these projects.
To measure the importance of security to a project, we Most other projects show small decreases in SQL injection searched for public security resources made available on vulnerabilities over the two years; only three projects saw a the web site for the project.
The security resource indica- small increase of less than ten vulnerabilities for this cate- tor is based on four items: WordPress, po and database of security vulnerabilities specific to the applica- squirrelmail. Surprisingly, seven projects had more cross- tion, and documentation of secure development practices, site scripting vulnerabilities at the end of the study, and two such as coding standards or techniques to avoid common of those dotproject and phpmyadmin added more than secure programming errors.
Path manipulation has a simi- These indicators differ from those used by Fortify in their lar profile, though only a single project dotproject added study of Java applications  in that we eliminated their more than vulnerabilities. The same three projects indicator about easy access to security experts, which we showed the greatest improvement in path manipulation as found ambiguous, and we added the last two indicators de- in SQL injection. The vulnerability type with the largest scribed above, which are focused more on developers than increase, dangerous file inclusion, is only clearly visible on users of the application.
Table 5 shows the indicators for the graph for dotproject. No project saw a substantial de- each project. URL Email List Coding The choice of language impacts both code size and types of achievo no no no no possible vulnerabilities, so these results may not generalize dotproject no no no yes to web applications written in other languages. Attack scenarios in modern web applications Browser protection attempts like same origin policy SOP etc.
The course also includes offensive parts of real-world exploitation of the security holes in order to fully understand the individual impact on a complete software system, like stealthy session stealing, user impersonification, sensitive data exfiltration, remote filesystem access, attacker shells, server takeover, etc. But as the main focus is the mitigation of security problems: At the end of the workshop, even prophylactic protection techniques and best practices like tokens, url encryption etc.
Each attack is covered in the demo application with multiple coding examples derived from my real-world pentesting and development experience as a freelance pentester and Java software developer. The main intention behind this course is to learn and practice web application hardening by stepwise finding security holes and closing them.
As attendees assume both roles attacker's point of view as well as developer's defense point of view code-review and pentesting skills will be learned in addition to the defence strategies. I had the chance to hold this training over hundred times during the last years and constantly improved it for national and international companies ranging from small IT startups to big enterprises.