Developer-oriented Web Security by Integrating Secure SDLC into IDEs

Enterprises and organizations have difficulties to protect their web-based services against cyber-attacks. Due to increasing number of cyber-attacks, critical data including customer data, patient data etc. are leaked and critical services like online banking become unavailable for long period of time. The studies of Gartner, OWASP, SANS and similar organizations have shown that today’s cyber-attacks target mostly application layer. This means that application developers design and implement insecure web applications and black-hat hackers exploit these security weaknesses to get unauthorized accesses to critical databases. Insecure development of web developers is still a big challenge to solve. The top one risk “SQL Injection” from OWASP Top 10 list can be given as a concrete example. This vulnerability was discovered 20 years ago, but web developers are still mostly unaware of its prevention methods. The weak communication between web developers and security experts is one of the main reasons of insecurely developed applications. Even though security experts have the knowledge of all preventions methods for all types of security vulnerabilities, they are insufficient to transfer this knowledge to web developers. Secure software development lifecycles methodologies like Microsoft SDL, OpenSAMM, BSIMM have been also proposed in order to integrate required security activities into all phases of software development. But the security activities required by these methodologies are not integrated within development environments and therefore secure coding awareness of developers cannot be efficiently achieved. In this paper, we suggest new methods and discuss open academic research issues for integration of secure SDLC activities including secure coding practices and secure architecture patterns into development IDEs (Integrated Development Environments). Providing this, web developers can access to secure coding procedures and best-practices directly within their IDEs, increase their security awareness and develop more secure applications. As a result, the numbers of security vulnerabilities would drastically decrease and critical data leakages can be prevented

Cracking more password hashes with patterns

WOS: 000359984600009It is a common mistake of application developers to store user passwords within databases as plaintext or only as their unsalted hash values. Many real-life successful hacking attempts that enabled attackers to get unauthorized access to sensitive database entries including user passwords have been experienced in the past. Seizing password hashes, attackers perform brute-force, dictionary, or rainbow-table attacks to reveal plaintext passwords from their hashes. Dictionary attacks are very fast for cracking hashes but their success rate is not sufficient. In this paper, we propose a novel method for improving dictionary attacks. Our method exploits several password patterns that are commonly preferred by users when trying to choose a complex and strong password. In order to analyze and show success rates of our developed method, we performed cracking tests on real-life leaked password hashes using both a traditional dictionary and our pattern-based dictionary. We observed that our pattern-based method is superior for cracking password hashes

Extending P3P/Appel for Friend Finder

FriendFinder as a location-based service collects location data from mobile users and distributes a particular user’s location upon request. Privacy of users data especially location data needs to be guaranteed according to both user and legacy perspectives. W3C’s privacy recommendation for internet platform P3P/Appel only considers the privacy relations between the users and the service providers. In this paper, we explain the shortcomings of P3P/Appel for providing privacy in FriendFinder and propose enhancements to the P3P/Appel policy languages.

Abused android permissions by advertising networks

Android is the leading mobile operating system for smart phone and mobile tablet platforms. Since these mobile devices contain personal and sensitive data, security is a big challenge for them. Even though various security features are supported by Android, its permission model is quite problematic from usability and privacy aspects. When users want to install an application, they must grant all requested permissions. Since manually checking dozens of permissions is cumbersome, users ignore it and accept permissions without reading them. In Google Play Store, there exist thousands of applications that request more permissions than they actually need. Applications with unnecessary permissions can misuse their permissions and endanger their users' security and privacy. Especially, advertising network libraries, integrated within applications, request many unnecessary permissions and get unauthorized access to users' personal data. In this paper, we explain the results of our study which analyzes several advertising networks, their permission requests and behavior for accessing critical resources.IEEEIEEE Computer SocietyInst Creative Advanced Technologies Sci & EngnUniversity of Science and Technology BeijingKyonggi UniversityKorea Ind Security ForumKorean Convergence Security Asso

WIVET-benchmarking coverage qualities of web crawlers

WOS: 000397192400008Web application vulnerability scanners (WAVS) include crawler components to extract all accessible links of tested web pages in order to identify attack entry points and parameters. After extracting links, they perform different types of attacks over each extracted link and try to find out existing vulnerabilities in the tested web application for reporting. A WAVS tool that has a low-quality crawler component would generate false-negative results, since failing to discover existing links would inhibit detection of possible vulnerabilities exposed through these links. Therefore, the coverage quality of its crawler plays a very important role in the success of a WAVS tool. In this paper, we propose a novel method for analyzing and comparing coverage qualities of WAVS crawlers. We developed WIVET (Web Input Vector Extractor Teaser) as a benchmarking tool for analyzing crawler components of WAVS. WIVET evaluates WAVS crawlers based on their extraction capability of 56 target links that are generated statically or dynamically by WIVET's 21 test cases. We explain WIVET's architecture, all WIVET test cases and target links with code examples, integration of WIVET into WAVS development environments and WAVS benchmarking results in detail.TUBITAK, The Scientific and Technical Research Council of Turkey [BIDEB 2232, 114C104]TUBITAK, The Scientific and Technical Research Council of Turkey (grant BIDEB 2232, Project No.: 114C104)

Issues on Designing a Cryptographic Compiler

Abstract: Flawed implementations of security protocols is a major source of real world security problems. Typically, security protocols are specified in some “highlevel” way and may even be formally proven secure. Implementing them in practical (and comparatively low-level) source code has turned out to be error-prone. This paper introduces an experimental language for high-level protocol specifications and describes a tool to automatically compile source code from these specifications.