Finding Security Bugs in Web Applications using a Catalog of Access Control Patterns

We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, Space reported 33 possible bug--|23 previously unknown security bugs, and 10 false positives.National Science Foundation (U.S.) (Grant 0707612

I'd Like to Have an Argument, Please:Using Dialectic for Effective App Security

The lack of good secure development practice for app developers threatens everyone who uses mobile software. Current practice emphasizes checklists of processes and security errors to avoid, and has not proved effective in the application development domain. Based on analysis of interviews with relevant security experts, we suggest that secure app development requires 'dialectic': challenging dialog with a range of counterparties, continued throughout the development cycle. By further studying the different dialectic techniques possible in programmers' communications, we shall be able to empower app developers to produce the secure software that we need

Challenging Software Developers:Dialectic as a Foundation for Security Assurance Techniques

Development teams are increasingly expected to deliver secure code, but how can they best achieve this? Traditional security practice, which emphasises 'telling developers what to do' using checklists, processes and errors to avoid, has proved difficult to introduce. From analysis of industry interviews with a dozen experts in app development security, we find that secure development requires dialectic: a challenging dialog between the developers and a range of counterparties, continued throughout the development cycle. Analysing a further survey of sixteen industry developer security advocates, we identify the six assurance techniques that are most effective at achieving this dialectic in existing development teams, and conclude that the introduction of these techniques is best driven by the developers themselves. Concentrating on these six assurance techniques, and the dialectical interactions they involve, has the potential to increase the security of development activities and thus improve software security for everyone

Automation of Authorisation Vulnerability Detection in Authenticated Web Applications

In the beginning the World Wide Web, also known as the Internet, consisted mainly of websites. These were essentially information depositories containing static pages, with the flow of information mostly one directional, from the server to the user’s browser. Most of these websites didn’t authenticate users, instead, each user was treated the same, and presented with the same information. A malicious party that gained access to the web server hosting these websites would usually not gain access to confidential information as most of the information on the web server would already be accessible to the public. Instead, the malicious party would typically modify the files that are on the server in order to deface the website or use the server to host pirated materials. At present, the majority of websites available on the public internet are applications; these are highly functional and rely on two-way communication between the client’s browser and the web server hosting the application. The content on these applications is typically generated dynamically, and is often tailored towards each specific user, with much of the information dealt with being confidential in nature. A malicious party that compromises a web application, and gains access to confidential information which they normally should not be able to access, may be able to steal personal client information, commit financial fraud, or perform other malicious actions against those users whose personal information has been leaked. This thesis seeks to examine the access controls that are put in place across a variety of web applications that seek to prevent malicious parties from gaining access to confidential information they should not be able to access. It will test these access controls to ensure that they are robust enough for their purpose, and aims to automate this procedure

How to Improve the Security Skills of Mobile App Developers:An Analysis of Expert Knowledge

Much of the world relies heavily on apps. Increasingly those apps handle sensitive information: controlling our financial transactions, enabling our personal communication and holding intimate details of our lives. So the security of those apps is becoming increasingly vital. Yet research shows that those apps contain frequent security and privacy problems; and that almost all of these issues could have been avoided had the developers had sufficient motivation, support and knowledge. This lack of developer knowledge and support is widely perceived as a major threat. We therefore investigated the skills, approach and motivation required for developers. We conducted a Constructivist Grounded Theory study, involving face-to-face interviews with a dozen experts whose cumulative experience totalled over 100 years of secure app development, to develop theory on secure development techniques. The study identified that the subdiscipline of app development security is still at an early stage, and found surprising discrepancies between current industry understanding and the experts’ recommendations. In particular it found that a secure development process tends not to appeal to app developers; and that the approach of identifying common types of security problems is too limited to give an effective security solution. Instead we identified a set of successful techniques we call ‘Dialectical Security’, where ‘dialectic’ means learning by questioning. These techniques use dialogue with a range of counterparties to achieve app security in an effective and economical way. The security increase comes from continued dialog, not passive learning. The novel contribution of our work is to provide: A grounded theory of secure app development that challenges conventional processes and checklists, and A shift in perspective from process to dialectic. Only by working to develop the Dialectical Security skills of app developers shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions

Data Model Verification via Theorem Proving

Software applications have moved from desktop computers onto the web. This is not surprising since there are many advantages that web applications provide, such as ubiquitous access and distributed processing power. However, these benefits come at a cost. Web applications are complex distributed systems written in multiple languages. As such, they are prone to errors at any stage of development, and difficult to verify, or even test. Considering that web applications store and manage data for millions (even billions) of users, errors in web applications can have disastrous effects.In this dissertation, we present a method for verifying code that is used to access and modify data in web applications. We focus on applications that use frameworks such as Ruby on Rails, Django or Spring. These frameworks are RESTful, enforce the Model-View-Controller architecture, and use Object Relational Mapping libraries to manipulate data. We developed a formal model for data stores and data store manipulation, including access control. We developed a translation of these models to formulas in First Order Logic (FOL) that allows for verification of data model invariants using off-the-shelf FOL theorem provers. In addition, we developed a method for extracting these models from existing applications implemented in Ruby on Rails. Our results demonstrate that our approach is applicable to real world applications, it is able to discover previously unknown bugs, and it does so within minutes on commonly available hardware