Securing code is crucial for all software stakeholders. Nevertheless, state-of-the-art tools are imperfect and tend to miss critical errors, resulting in zero-day vulnerabilities. Thus, there is a ...need for alternatives to mitigate such issues.
We aim to facilitate an effective identification mechanism of security flaws in the early stages of development.
Following our analysis of the root causes of vulnerabilities and examining existing code analyzers, we devise a new Rule-Based Security Flaws Prevention (RbSFP) tool. The tool is based on a set of allow-list rules and consists of the following stages: (1) AST creation based on the source code and marking critical code areas; (2) Context-based code analysis that further validates the code; (3) Results’ normalization to suggest alerts and warnings. To evaluate the RbSFP tool, we utilized two complementary evaluations. The first refers to the tool’s ability to detect security flaws compared to competing tools by executing them on open-source projects. The second refers to evaluating the tool’s usability and efficiency via a controlled experiment.
We found that the outcomes were of better quality when using the RbSFP tool, and the differences were statistically significant. Thus, utilizing the new approach and tool has a significant impact as it can eliminate root causes for security flaws at the early stages of development.
Using an allow-list-based approach can reduce security flaws in the code. However, further analysis and evaluation are needed to provide a more comprehensive solution.
Microservices define an architectural style that conceives systems as a suite of modular, independent and scalable services. While application design is now simpler, designing secure applications is ...in general harder than for monolithic applications and the current literature offers little orientation to architects and developers regarding solutions. This article describes the design and results of a multivocal literature review of the security solutions that have been proposed for microservice-based systems. The study yielded 370 academic articles and 620 grey literature; duplicates removal and the application of exclusion criteria left 36 from the academic literature and 34 from the grey literature. The security solution(s) proposed in each article were classified into variations of standard security mechanisms (e.g., Access Control) and scopes (Info Management, Threat Modeling, etc), and were associated to security contexts (detect, mitigate/stop, react, recover from attack). Our research questions addressed frequency of publications, research methodologies, security mechanisms, and security contexts. Key findings were that (1) both kinds of literature differ in their preferred empirical research strategies (examples, experiments and case studies); (2) The solutions proposed in the 70 selected articles correspond to 15 classifications of security mechanisms and analyses; (3) the most mentioned security mechanisms are Authentication and Authorization; (4) around 2/3 of solutions focused on Mitigate/Stop attacks, but none on reacting and recovering from them, and (5) the methodologies used are mostly block diagrams and code, with little use of models or analysis. These findings hold for both grey and academic literature. This study is a first step towards providing secure software researchers and practitioners a comprehensive catalog of security solutions and mechanisms, and where the clear identification of the most used security solutions will simplify their reuse to address security problems while designing microservice-based systems.
Application Programming Interfaces (APIs) in cryptography typically impose concealed usage constraints. The violations of these usage constraints can lead to software crashes or security ...vulnerabilities. Several professional tools can detect these constraints (API misuses) in cryptography; however, in the educational programs, the focus has been less on helping students implement an application without cryptographic API misuses that are caused by either a lack of cryptographic knowledge or programming mistakes.
To address the problem, we present an intelligent tutoring approach SSDTutor for educating Secure Software Development. Our tutoring approach helps students or developers repair cryptographic API misuse defects by leveraging an automated program repair technique based on the usage patterns of cryptographic APIs. We studied the best practices of cryptographic implementations and encoded eight cryptographic API usage patterns. For quality feedback, we leverage a clone detection technique to recommend related feedback for helping students understand why their programs are incorrect, rather than blindly accepting repairs.
We evaluated SSDTutor on 456 open source subject projects implemented with cryptographic APIs. SSDTutor successfully detected 1,553 out of 1,573 misuse defects with 98.9% accuracy and repaired 1,551 out of 1,573 misuse defects with 99.3% accuracy. In a user study involving 22 students, the participants reported that interactive SSDTutor's feedback recommendation could be valuable for novice students to learn about the correct usages of cryptography APIs.
•An intelligent tutoring approach for educating secure software development.•An automated repair approach for cryptographic API misuse defects.•Eight cryptographic API usage patterns for the best practices of cryptographic implementations.•Quality feedback to understand why programs are incorrect, rather than blindly accepting repairs.
This research delves into the critical aspects of information security during the implementation stage of the Software Development Life Cycle (SDLC). By employing a systematic literature review, the ...study synthesizes findings from various digital repositories, including IEEE Xplore, ACM Digital Library, Scopus, and ScienceDirect, to outline a comprehensive framework addressing the implementation stage's unique security challenges. This research contributes to the field by proposing a novel assurance model for software development vendors that focuses on enhancing information security measures during the implementation stage. The study's findings reveal 12 key steps organizations can adopt to mitigate security risks and enhance information security measures during this critical phase. These steps provide actionable insights and strategies tailored to support security protocols effectively. The article concludes that by incorporating these steps, organizations can significantly improve their security posture, ensuring the integrity and reliability of the software development process, particularly during the implementation stage. This approach not only addresses immediate security concerns but also sets a precedent for future research and practice in secure software development, particularly in the critical implementation stage of the SDLC.
In the modern digital era, software systems are extensively adapted and have become an integral component of human society. Such wide use of software systems consists of large and more critical data ...that inevitably needs to be secured. It is imperative to make sure that these software systems not only satisfy the users' needs or functional requirements, but it is equally important to make sure the security of these software systems. However, recent research shows that many software development methods do not explicitly include software security measures during software development as they move from demand engineering to their final losses. Integrating software security at each stage of the software development life cycle (SDLC) has become an urgent need. Tackling software security, various methods, techniques, and models have been suggested and developed, however, only a few of them provide strong evidence for building secure software applications. The main purpose of this research is to study security measures in the context of the development of secure software (SSD) during the study of systematic mapping (SMS). Based on the inclusion and exclusion criteria, 116 studies were selected. After the data extraction from the selected 116 papers, these were classified based on the quality assessment, software security method, SDLC phases, publication venue, and SWOT analysis. The results indicate that this domain is still immature and sufficient research work needs to be carried out particularly on empirically evaluated solutions.
Enterprises and organizations have difficulties to protect their web-based services against cyber-attacks. Due to increasing number of cyber-attacks, critical data including customer data, patient ...data etc. are leaked and critical services like online banking become unavailable for long period of time. The studies of Gartner, OWASP, SANS and similar organizations have shown that today’s cyber-attacks target mostly application layer. This means that application developers design and implement insecure web applications and black-hat hackers exploit these security weaknesses to get unauthorized accesses to critical databases. Insecure development of web developers is still a big challenge to solve. The top one risk “SQL Injection” from OWASP Top 10 list can be given as a concrete example. This vulnerability was discovered 20 years ago, but web developers are still mostly unaware of its prevention methods. The weak communication between web developers and security experts is one of the main reasons of insecurely developed applications. Even though security experts have the knowledge of all preventions methods for all types of security vulnerabilities, they are insufficient to transfer this knowledge to web developers. Secure software development lifecycles methodologies like Microsoft SDL, OpenSAMM, BSIMM have been also proposed in order to integrate required security activities into all phases of software development. But the security activities required by these methodologies are not integrated within development environments and therefore secure coding awareness of developers cannot be efficiently achieved. In this paper, we suggest new methods and discuss open academic research issues for integration of secure SDLC activities including secure coding practices and secure architecture patterns into development IDEs (Integrated Development Environments). Providing this, web developers can access to secure coding procedures and best-practices directly within their IDEs, increase their security awareness and develop more secure applications. As a result, the numbers of security vulnerabilities would drastically decrease and critical data leakages can be prevented.
The software development environment is focused on reaching functional products in the shortest period by making use of the least amount of resources possible. In this scenario, crucial elements such ...as software quality or software security are not considered at all, and in most cases, the high value offered to the projects is not taken into account. Nowadays, agile models are booming. They are defined by the way they achieve the interaction and integration of everyone involved in the software life cycle, the advantages of the quick reaction to change, and the implementation of artifacts or deliverables which display the level of progress reached at any time. In this context, it seems clearly necessary to define a new software development model, which prioritizes security aspects at any phase of the software life cycle and takes advantage of the benefits of the agile models. The proposed methodology shows that if security is considered from the beginning, vulnerabilities are easily detected and solved during the time planned for the project, with no extra time nor costs for the client and it increases the possibilities of reaching success in terms of not only functionality but also quality.