IEEE Security and Privacy
Web Application Security Assessment Tools
IEEE Security and Privacy
Detecting format string vulnerabilities with type qualifiers
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
State of the Art: Automated Black-Box Web Application Vulnerability Testing
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Nemesis: preventing authentication & access control vulnerabilities in web applications
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Why Johnny can't pentest: an analysis of black-box web vulnerability scanners
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Toward automated detection of logic vulnerabilities in web applications
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
IEEE Transactions on Software Engineering
Comparing bug finding tools with reviews and tests
TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Idea: java vs. PHP: security implications of language choice for web applications
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
A systematic analysis of XSS sanitization in web application frameworks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Let's parse to prevent pwnage invited position paper
LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
An empirical analysis of input validation mechanisms in web applications and languages
Proceedings of the 27th Annual ACM Symposium on Applied Computing
An empirical study on the effectiveness of security code review
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
An empirical study of vulnerability rewards programs
SEC'13 Proceedings of the 22nd USENIX conference on Security
| Hi-index | 0.00 |
How should software engineers choose which tools to use to develop secure web applications? Different developers have different opinions regarding which language, framework, or vulnerability-finding tool tends to yield more secure software than another; some believe that there is no difference at all between such tools. This paper adds quantitative data to the discussion and debate. We use manual source code review and an automated black-box penetration testing tool to find security vulnerabilities in 9 implementations of the same web application in 3 different programming languages. We explore the relationship between programming languages and number of vulnerabilities, and between framework support for security concerns and the number of vulnerabilities. We also compare the vulnerabilities found by manual source code review and automated black-box penetration testing. Our findings are: (1) we do not find a relationship between choice of programming language and application security, (2) automatic framework protection mechanisms, such as for CSRF and session management, appear to be effective at precluding vulnerabilities, while manual protection mechanisms provide little value, and (3) manual source code review is more effective than automated black-box testing, but testing is complementary.