SlideShare une entreprise Scribd logo

WhiteList Checker: An Eclipse Plugin to Improve Application Security

G
guest56b7565
Technologie
1  sur  18
Télécharger pour lire hors ligne
WhiteList Checker: An Eclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan Department of Software and Information Systems University of North Carolina at Charlotte
Motivation  There is a gap in tool support for secure programming  Analysis tools (e.g. Fortify, ESC/Java, CodeHawk) work in batch mode  The process is the same early compilers  Manually diagnose and fix problems  Developers have heavy cognitive load while programming  IDEs have dramatically eased the programming task and let developers focus on difficult logic tasks  Gap: no such interactive tool support exist for secure programming  It is insufficient to rely on secure coding training and manual enforcement of coding standards alone
Motivation  There is a gap in secure programming research  Mental model: how programmers address security concerns while programming?  What types of tool support should be designed to help programmers give adequate attention / considerations to security issues while programming?  Code generation  Annotation
Case study: input validation  Lack of proper input validation is a leading cause of software vulnerabilities  Detection: static analysis  Late in the development cycle  Does not help fixing the problem, i.e. how to validate  Action: programmer training, paper standards, program libraries, no methodological support  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)
Sample input validation issues  Where in the program should validation take place?  When data enters the system  When data is used in sensitive system calls (Fortify default rules)  How to enforce enterprise wide input validation standards?  What needs to be validated  What is the standard validation  Auditing and tracking  When in the development cycle to address input validation?  Design: setting enterprise/project standards  Coding: ?  Security Auditing: penetration test/static analysis
IDE based support for input validation •Identify untrusted input • Interactively notify String username = request.getParameter(“username”); developer (similar to syntax error) • Present choice of input types String username = request.getParameter(“username”); try{ • Generate validation code Validation.validate(username, “safe_text”); }catch(InputValidationException e){ • Encourage developers to username = “safe text”; perform input validation at } the earliest possible time
Trust boundary definition  API calls  HttpServletRequest.getParameter()  System.getProperty()  ResultSet.getString()  ServletContext.getInitParameter()  Parameters / Variables  main (String[] args)
Input validation rules  Initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules  Regular expression  Customized routines
Benefits  Set enterprise-wide standards  Identify and track untrusted input  where they are input into the application  validation actions taken ( it might be okay to ignore compiler warnings, but do not ignore input validations)  Interesting queries  How many places in this application do we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?  Reduce false positives in analysis  Generate (Fortify) rules that remove taints to reduce false positives
Future work  Programmer mental model for secure programming  Technical tool support  Add critical features for input validation  Additional support for other secure programming tasks
Mental model for secure programming  How do programmers juggle security concerns among many others concerns?  Use input validation as case study  Identify programmer strategies /behavior  Evaluate our tool as constructed  Improvement / identify new tool support needed
Additional features for input validation support  Input of composite type  Ad hoc structures (e.g. ParameterMap, hash tables)  Perform data flow analysis (including across developer boundary)  Valid elements when used  Specialized data types (e.g. sparse matrix, JNI objects)  Standardized validation routines  Dynamic data types  User intervention
Semantic rules  Refinements  e.g. filepath -> under certain directories  e.g. price -> less than $1,000  Relationship rules  e.g. endTime > startTime  e.g. “constraint”  Challenge: an effective and simple specification language
Interactive tool support for other secure programming issues  Start with rules that might be used in static analysis  e.g. broken authentication / authorization  Types of help  Code generation  Annotation  Challenge: must have very low false positive rates  We cannot ignore compiler errors  How often do we ignore compiler warnings?
Demo

Recommandé

Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Erika Barron
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
Testing Theories & Methodologies
Testing Theories & MethodologiesTesting Theories & Methodologies
Testing Theories & MethodologiesYi Xu
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSMichael Hidalgo
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk AssessmentThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 

Recommandé

Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Erika Barron
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
Testing Theories & Methodologies
Testing Theories & MethodologiesTesting Theories & Methodologies
Testing Theories & MethodologiesYi Xu
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSMichael Hidalgo
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk AssessmentThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Application Security Orchestration & Correlation Pyramid
Application Security Orchestration & Correlation PyramidApplication Security Orchestration & Correlation Pyramid
Application Security Orchestration & Correlation PyramidJayashree Arunkumar
 
Software Testing Tools | Edureka
Software Testing Tools | EdurekaSoftware Testing Tools | Edureka
Software Testing Tools | EdurekaEdureka!
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++Dan-Claudiu Dragoș
 
Skillwise Integration Testing
Skillwise Integration TestingSkillwise Integration Testing
Skillwise Integration TestingSkillwise Group
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Software security testing
Software security testingSoftware security testing
Software security testingnehabsairam
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilitiesMohit Dholakiya
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsСергей Гоменюк
 
Unit tests benefits
Unit tests benefitsUnit tests benefits
Unit tests benefitsKate Semizhon
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Vulnerability
VulnerabilityVulnerability
VulnerabilityMohit Dholakiya
 
Why do we test software?
Why do we test software?Why do we test software?
Why do we test software?Md. Shafiuzzaman Hira
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Test Case Design and Technique
Test Case Design and TechniqueTest Case Design and Technique
Test Case Design and TechniqueANKUR-BA
 
Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?honeywellgf
 
Flickr: Choosing to Redesign In Stages
Flickr: Choosing to Redesign In StagesFlickr: Choosing to Redesign In Stages
Flickr: Choosing to Redesign In StagesPhilip King
 
The Trip To Dc!
The Trip To Dc!The Trip To Dc!
The Trip To Dc!guest083a623
 

Contenu connexe

Tendances

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Application Security Orchestration & Correlation Pyramid
Application Security Orchestration & Correlation PyramidApplication Security Orchestration & Correlation Pyramid
Application Security Orchestration & Correlation PyramidJayashree Arunkumar
 
Software Testing Tools | Edureka
Software Testing Tools | EdurekaSoftware Testing Tools | Edureka
Software Testing Tools | EdurekaEdureka!
 
Skillwise Integration Testing
Skillwise Integration TestingSkillwise Integration Testing
Skillwise Integration TestingSkillwise Group
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Software security testing
Software security testingSoftware security testing
Software security testingnehabsairam
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilitiesMohit Dholakiya
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Test Case Design and Technique
Test Case Design and TechniqueTest Case Design and Technique
Test Case Design and TechniqueANKUR-BA
 

Tendances (19)

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Application Security Orchestration & Correlation Pyramid
Application Security Orchestration & Correlation PyramidApplication Security Orchestration & Correlation Pyramid
Application Security Orchestration & Correlation Pyramid
 
Software Testing Tools | Edureka
Software Testing Tools | EdurekaSoftware Testing Tools | Edureka
Software Testing Tools | Edureka
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
 
Skillwise Integration Testing
Skillwise Integration TestingSkillwise Integration Testing
Skillwise Integration Testing
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
Software security testing
Software security testingSoftware security testing
Software security testing
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the Software
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Unit tests benefits
Unit tests benefitsUnit tests benefits
Unit tests benefits
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
 
Why do we test software?
Why do we test software?Why do we test software?
Why do we test software?
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Test Case Design and Technique
Test Case Design and TechniqueTest Case Design and Technique
Test Case Design and Technique
 

En vedette

Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?honeywellgf
 
Flickr: Choosing to Redesign In Stages
Flickr: Choosing to Redesign In StagesFlickr: Choosing to Redesign In Stages
Flickr: Choosing to Redesign In StagesPhilip King
 
Wbb mit 2010_class_1_pt_o---ry_innovation_role
Wbb mit 2010_class_1_pt_o---ry_innovation_roleWbb mit 2010_class_1_pt_o---ry_innovation_role
Wbb mit 2010_class_1_pt_o---ry_innovation_roleBurhan Saifaddin
 
Tacademy techclinic-2012-07-11
Tacademy techclinic-2012-07-11Tacademy techclinic-2012-07-11
Tacademy techclinic-2012-07-11영호 라
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesAlgoSec
 

En vedette (9)

Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?
 
Flickr: Choosing to Redesign In Stages
Flickr: Choosing to Redesign In StagesFlickr: Choosing to Redesign In Stages
Flickr: Choosing to Redesign In Stages
 
The Trip To Dc!
The Trip To Dc!The Trip To Dc!
The Trip To Dc!
 
Pixel VJ
Pixel VJPixel VJ
Pixel VJ
 
Wbb mit 2010_class_1_pt_o---ry_innovation_role
Wbb mit 2010_class_1_pt_o---ry_innovation_roleWbb mit 2010_class_1_pt_o---ry_innovation_role
Wbb mit 2010_class_1_pt_o---ry_innovation_role
 
Tacademy techclinic-2012-07-11
Tacademy techclinic-2012-07-11Tacademy techclinic-2012-07-11
Tacademy techclinic-2012-07-11
 
The Trip To Dc!
The Trip To Dc!The Trip To Dc!
The Trip To Dc!
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management Migraines
 
Energy pv splash
Energy pv splashEnergy pv splash
Energy pv splash
 

Similaire à WhiteList Checker: An Eclipse Plugin to Improve Application Security

Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for securityFadi Abdulwahab
 
WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application SecurityWhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Securityguest032fe5
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Leonard Fingerman
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Assignment ContentA software engineer designs, develop, te.docx
Assignment ContentA software engineer designs, develop, te.docxAssignment ContentA software engineer designs, develop, te.docx
Assignment ContentA software engineer designs, develop, te.docxwilliejgrant41084
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Unit_5 and Unit 6.pptx
Unit_5 and Unit 6.pptxUnit_5 and Unit 6.pptx
Unit_5 and Unit 6.pptxtaxegap762
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testingphanleson
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Assignment ContentA software engineer designs, develop, tests,.docx
Assignment ContentA software engineer designs, develop, tests,.docxAssignment ContentA software engineer designs, develop, tests,.docx
Assignment ContentA software engineer designs, develop, tests,.docxwilliejgrant41084
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 

Similaire à WhiteList Checker: An Eclipse Plugin to Improve Application Security (20)

Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
 
WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application SecurityWhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Security
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code quality
 
Assignment ContentA software engineer designs, develop, te.docx
Assignment ContentA software engineer designs, develop, te.docxAssignment ContentA software engineer designs, develop, te.docx
Assignment ContentA software engineer designs, develop, te.docx
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Unit_5 and Unit 6.pptx
Unit_5 and Unit 6.pptxUnit_5 and Unit 6.pptx
Unit_5 and Unit 6.pptx
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Assignment ContentA software engineer designs, develop, tests,.docx
Assignment ContentA software engineer designs, develop, tests,.docxAssignment ContentA software engineer designs, develop, tests,.docx
Assignment ContentA software engineer designs, develop, tests,.docx
 
Security testing
Security testingSecurity testing
Security testing
 
Security testing
Security testingSecurity testing
Security testing
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 

Dernier

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Dernier (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

WhiteList Checker: An Eclipse Plugin to Improve Application Security

  • 1. WhiteList Checker: An Eclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan Department of Software and Information Systems University of North Carolina at Charlotte
  • 2. Motivation  There is a gap in tool support for secure programming  Analysis tools (e.g. Fortify, ESC/Java, CodeHawk) work in batch mode  The process is the same early compilers  Manually diagnose and fix problems  Developers have heavy cognitive load while programming  IDEs have dramatically eased the programming task and let developers focus on difficult logic tasks  Gap: no such interactive tool support exist for secure programming  It is insufficient to rely on secure coding training and manual enforcement of coding standards alone
  • 3. Motivation  There is a gap in secure programming research  Mental model: how programmers address security concerns while programming?  What types of tool support should be designed to help programmers give adequate attention / considerations to security issues while programming?  Code generation  Annotation
  • 4. Case study: input validation  Lack of proper input validation is a leading cause of software vulnerabilities  Detection: static analysis  Late in the development cycle  Does not help fixing the problem, i.e. how to validate  Action: programmer training, paper standards, program libraries, no methodological support  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)
  • 5. Sample input validation issues  Where in the program should validation take place?  When data enters the system  When data is used in sensitive system calls (Fortify default rules)  How to enforce enterprise wide input validation standards?  What needs to be validated  What is the standard validation  Auditing and tracking  When in the development cycle to address input validation?  Design: setting enterprise/project standards  Coding: ?  Security Auditing: penetration test/static analysis
  • 6. IDE based support for input validation •Identify untrusted input • Interactively notify String username = request.getParameter(“username”); developer (similar to syntax error) • Present choice of input types String username = request.getParameter(“username”); try{ • Generate validation code Validation.validate(username, “safe_text”); }catch(InputValidationException e){ • Encourage developers to username = “safe text”; perform input validation at } the earliest possible time
  • 7. Trust boundary definition  API calls  HttpServletRequest.getParameter()  System.getProperty()  ResultSet.getString()  ServletContext.getInitParameter()  Parameters / Variables  main (String[] args)
  • 8.
  • 9.
  • 10.
  • 11. Input validation rules  Initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules  Regular expression  Customized routines
  • 12. Benefits  Set enterprise-wide standards  Identify and track untrusted input  where they are input into the application  validation actions taken ( it might be okay to ignore compiler warnings, but do not ignore input validations)  Interesting queries  How many places in this application do we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?  Reduce false positives in analysis  Generate (Fortify) rules that remove taints to reduce false positives
  • 13. Future work  Programmer mental model for secure programming  Technical tool support  Add critical features for input validation  Additional support for other secure programming tasks
  • 14. Mental model for secure programming  How do programmers juggle security concerns among many others concerns?  Use input validation as case study  Identify programmer strategies /behavior  Evaluate our tool as constructed  Improvement / identify new tool support needed
  • 15. Additional features for input validation support  Input of composite type  Ad hoc structures (e.g. ParameterMap, hash tables)  Perform data flow analysis (including across developer boundary)  Valid elements when used  Specialized data types (e.g. sparse matrix, JNI objects)  Standardized validation routines  Dynamic data types  User intervention
  • 16. Semantic rules  Refinements  e.g. filepath -> under certain directories  e.g. price -> less than $1,000  Relationship rules  e.g. endTime > startTime  e.g. “constraint”  Challenge: an effective and simple specification language
  • 17. Interactive tool support for other secure programming issues  Start with rules that might be used in static analysis  e.g. broken authentication / authorization  Types of help  Code generation  Annotation  Challenge: must have very low false positive rates  We cannot ignore compiler errors  How often do we ignore compiler warnings?
  • 18. Demo