Writing secure Web applications is a complex task. In fact, a vast majority of Web applications are likely to have security vulnerabilities that can be exploited using simple tools like a common Web browser. This represents a great danger as the attacks may have disastrous consequences to organizations, harming their assets and reputation. To mitigate these vulnerabilities, security code inspections and penetration tests must be conducted by well-trained teams during the development of the application. However, effective code inspections and testing takes time and cost a lot of money, even before any business revenue. Furthermore, software quality assurance teams typically lack the knowledge required to effectively detect security problems. In this paper we propose an approach to quickly and effectively train security assurance teams in the context of web application development. The approach combines a novel vulnerability injection technique with relevant guidance information about the most common security vulnerabilities to provide a realistic training scenario. Our experimental results show that a short training period is sufficient to clearly improve the ability of security assurance teams to detect vulnerabilities during both code inspections and penetration tests.
[1]
Michael E. Fagan.
Design and Code Inspections to Reduce Errors in Program Development
,
1976,
IBM Syst. J..
[2]
Marco Vieira,et al.
Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks
,
2007
.
[3]
Robert A. Martin,et al.
Vulnerability Type Distributions in CVE
,
2007
.
[4]
Marco Vieira,et al.
Mapping software faults with web security vulnerabilities
,
2008,
2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).
[5]
H. B. Williams,et al.
A Survey
,
1992
.
[6]
Gary Mcgraw.
Software security
,
2004,
IEEE Security & Privacy Magazine.
[7]
Toshinori Sato,et al.
Power-Performance Trade-Off of a Dependable Multicore Processor
,
2007
.