Software—Practice & Experience
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Verifying Web Applications Using Bounded Model Checking
DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
Static analysis of role-based access control in J2EE applications
ACM SIGSOFT Software Engineering Notes
IEEE Security and Privacy
Finding application errors and security flaws using PQL: a program query language
OOPSLA '05 Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Interaction Design: Beyond Human Computer Interaction
Interaction Design: Beyond Human Computer Interaction
How can the developer benefit from security modeling?
ARES '07 Proceedings of the The Second International Conference on Availability, Reliability and Security
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Moving beyond security tracks: integrating security in cs0 and cs1
Proceedings of the 39th SIGCSE technical symposium on Computer science education
SAFELI: SQL injection scanner using symbolic execution
TAV-WEB '08 Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Secure programming with static analysis
Secure programming with static analysis
Automatic generation of XSS and SQL injection attacks with goal-directed model checking
SS'08 Proceedings of the 17th conference on Security symposium
Why Developers Insert Security Vulnerabilities into Their Code
ACHI '09 Proceedings of the 2009 Second International Conferences on Advances in Computer-Human Interactions
Systematically Eradicating Data Injection Attacks Using Security-Oriented Program Transformations
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
A framework and methodology for studying the causes of software errors in programming systems
Journal of Visual Languages and Computing
Symbolic security analysis of ruby-on-rails web applications
Proceedings of the 17th ACM conference on Computer and communications security
Toward automated detection of logic vulnerabilities in web applications
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Idea: interactive support for secure software development
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Evaluating interactive support for secure programming
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Point-and-shoot security design: can we build better tools for developers?
Proceedings of the 2012 workshop on New security paradigms
Interactive support for secure programming education
Proceeding of the 44th ACM technical symposium on Computer science education
Hi-index | 0.00 |
Many of today's application security vulnerabilities are introduced by software developers writing insecure code. This may be due to either a lack of understanding of secure programming practices, and/or developers' lapses of attention on security. Much work on software security has focused on detecting software vulnerabilities through automated analysis techniques. While they are effective, we believe they are not sufficient. We propose to increase developer awareness and promote practice of secure programming by interactively reminding programmers of secure programming practices inside Integrated Development Environments (IDEs). We have implemented a proof-of-concept plugin for Eclipse and Java. Initial evaluation results show that this approach can detect and address common web application vulnerabilities and can serve as an effective aid for programmers. Our approach can also effectively complement existing software security best practices and significantly increase developer productivity.