Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Cross Site Scripting (XSS) is one of the most critical vulnerabilities exist in web applications. XSS can be prevented by encoding untrusted data that are loaded into browser content of web applications. Security Application Programming Interfaces (APIs) such as OWASP ESAPI provide output encoding functionalities for programmers to use to protect their applications from XSS attacks. However, XSS still being ranked as one of the most critical vulnerabilities in web applications suggests that programmers are not effectively using those APIs to encode untrusted data. Therefore, we conducted an experimental study with 10 programmers where they attempted to fix XSS vulnerabilities of a web application using the output encoding functionality of OWASP ESAPI. Results revealed 3 types of mistakes that programmers made which resulted in them failing to fix the application by removing XSS vulnerabilities. We also identified 16 usability issues of OWASP ESAPI. We identified that some of these usability issues as the reason for mistakes that programmers made. Based on these results, we provided suggestions on how the usability of output encoding APIs should be improved to give a better experience to programmers

Designing a Serious Game: Teaching Developers to Embed Privacy into Software Systems

Software applications continue to challenge user privacy when users interact with them. Privacy practices (e.g. Data Minimisation (DM), Privacy by Design (PbD) or General Data Protection Regulation (GDPR)) and related "privacy engineering" methodologies exist and provide clear instructions for developers to implement privacy into software systems they develop that preserve user privacy. However, those practices and methodologies are not yet a common practice in the software development community. There has been no previous research focused on developing "educational" interventions such as serious games to enhance software developers' coding behaviour. Therefore, this research proposes a game design framework as an educational tool for software developers to improve (secure) coding behaviour, so they can develop privacy-preserving software applications that people can use. The elements of the proposed framework were incorporated into a gaming application scenario that enhances the software developers' coding behaviour through their motivation. The proposed work not only enables the development of privacy-preserving software systems but also helping the software development community to put privacy guidelines and engineering methodologies into practice.Comment:

Developing a systematic approach to evaluate the usability of security APIs

Security Application Programming Interfaces (APIs) play a major role in the software development process. They encapsulate complex security functionalities to provide simple interfaces for programmers who are not experts in computer security. When security APIs are not usable, it leads programmers to make mistakes while developing applications that result in introducing security vulnerabilities into applications. A major reason for the lack of usability of security APIs is that there is no systematic approach to evaluate the usability of security APIs. A systematic approach will allow security API developers to identify usability issues of security APIs and fix them. This will enhance the usability of security APIs and hence, will prevent programmers from making mistakes while using them. This thesis addresses this issue by developing a systematic approach that consists of a set of usability aspects that need to be considered and a set of steps to follow when conducting a security API usability evaluation. By investigating the strengths and weaknesses of different Usability Evaluation Methodologies (UEMs) available for general APIs, this thesis proposed evaluating the usability using a Cognitive Dimensions Framework (CDF) questionnaire as the most suitable UEM to evaluate the usability of security APIs. A four step process was developed in order to conduct a usability evaluation. By reviewing previous literature of security API usability, this thesis further developed a CDF with 15 dimensions that describes usability aspects affecting the usability of security APIs. Thereafter, the developed UEM was evaluated by employing it to identify usability issues for four security APIs and measuring its thoroughness, validity, effectiveness, and reliability. The results of these evaluations indicated that over 80% of the usability issues in a security API can be identified by this methodology with considerably good validity and reliability. Then, a systematic literature review and an empirical evaluation were conducted to improve the data analysis step of the proposed UEM. This step developed a set of guidelines for programmers to follow when performing the data analysis step. The evaluation revealed that the developed set of guidelines provides significant help for evaluators to analyse data collected with the CDF. Based on these results, this thesis contributes to the knowledge by delivering a systematic approach that security API developers can follow to evaluate the usability of security APIs they develop

On the privacy of mental health apps : An empirical investigation and its implications for app development

An increasing number of mental health services are now offered through mobile health (mHealth) systems, such as in mobile applications (apps). Although there is an unprecedented growth in the adoption of mental health services, partly due to the COVID-19 pandemic, concerns about data privacy risks due to security breaches are also increasing. Whilst some studies have analyzed mHealth apps from different angles, including security, there is relatively little evidence for data privacy issues that may exist in mHealth apps used for mental health services, whose recipients can be particularly vulnerable. This paper reports an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps. We analyzed 27 top-ranked mental health apps from Google Play Store. Our methodology enabled us to perform an in-depth privacy analysis of the apps, covering static and dynamic analysis, data sharing behaviour, server-side tests, privacy impact assessment requests, and privacy policy evaluation. Furthermore, we mapped the findings to the LINDDUN threat taxonomy, describing how threats manifest on the studied apps. The findings reveal important data privacy issues such as unnecessary permissions, insecure cryptography implementations, and leaks of personal data and credentials in logs and web requests. There is also a high risk of user profiling as the apps’ development do not provide foolproof mechanisms against linkability, detectability and identifiability. Data sharing among 3rd-parties and advertisers in the current apps’ ecosystem aggravates this situation. Based on the empirical findings of this study, we provide recommendations to be considered by different stakeholders of mHealth apps in general and apps developers in particular. We conclude that while developers ought to be more knowledgeable in considering and addressing privacy issues, users and health professionals can also play a role by demanding privacy-friendly apps. Cyber Security Cooperative Research Centre (CSCRC, Australia)European Commission’s H2020 Programme via the CyberSec4Europe project (Grant: 830929)Swedish Knowledge Foundation via the TRUEdig projectRegion Värmland via the DigitalWell Arena project (Grant: RV2018-678

Comparison Between Performance of Various Database Systems for Implementing a Language Corpus

Data storage and information retrieval are some of the most important aspects when it comes to the development of a language corpus. Currently most corpora use either relational databases or indexed file systems. When selecting a data storage system, most important facts to consider are the speeds of data insertion and information retrieval. Other than the aforementioned two approaches, currently there are various database systems which have different strengths that can be more useful. This paper compares the performance of data storage and retrieval mechanisms which use relational databases, graph databases, column store databases and indexed file systems for various steps such as inserting data into corpus and retrieving information from it, and tries to suggest an optimal storage architecture for a language corpus