REG_NO & NAME : 16MIS0229 – YESHWANTH S
16MIS0407 – KAMESWER M
16MIS0464 – ABINESH K
COURSE CODE : SWE2012
COURSE NAME : SOFTWARE SECURITY
SLOT : B2
FACULTY : LAWANYA SHRI M
DIGITAL ASSESEMENT 01 : REVIEW PAPER
Security Vulnerabilities in Web Development : Literature Review
Software system becomes increasingly large and complex, and it cause more varied security vulnerabilities. The most of vulnerabilities occur from improper input validation. In the beginnings of the Web, applications provided users to just the ability to browse and read content. The expansion of the new web technologies has led to a increase in development and, more importantly, usage of the web applications that allow users to create their own content and impact their life e.g. e-banking, e-commerce, social networks . Web applications introduced new possibilities to both users and application developers, but also created new security concerns. Almost every Internet user uses a web browser to access any content on the Internet. Each web application is designed and developed to be executed inside the web browser. Web browser mediates between users and applications. In such architecture, malicious applications could be loaded and executed inside the web browser, making it a vulnerable point in preserving security. Modern web applications demand for a new web browser architecture design that will meet new security requirements arisen with the Web. When the software vulnerability is exploited by attackers, it will cause serious consequences.
This paper evaluates various security aspects that should be implemented in a modern web page to overcome the high growing vulnerabilities happening around the web attacks. A report will be submitted on the methodologies of how the modern web page architecture is developed and maintained.
From the 1998′, the day google launched its search engine, the need for a web development started and it has been fulfilled by many other organizations such as Facebook, LinkedIn, etc. Back in the 1990’s, a server will be developed in a physical structure to store the data that they acquire. from the processing and calculation. But after that people thought that the information or data that are stored can be directly or indirectly stolen from an organization. To prevent that many organizations such as IBM, AT&T, etc. proposed many solutions, techniques to block. There are several international security organizations and individuals engaged in vulnerability research. CVE and CERT are rather authoritative among the institutions that distribute vulnerability. Vulnerability analysis technology is an integrated technology that needs analysers have a variety of detection techniques to make common use and complementary advantages. ICERT is an Indian Computer Emergency Response Team founded by Government of India in a national threat over web architecture and cyberattacks.
Mostly web applications will have vulnerabilities on the architecture that they have been built on the development time. Security Vulnerabilities in a web page may result to loss of CIA name Confidentiality, Integrity, and Availability. Web pages must be secured in a systematic way that when the hackers approach a way to break it, the website should stand firmly protecting the data. The most common way of finding security vulnerabilities in a web application is the manual code review. Another way is to implement an intrusion detection / protection system to withhold the possibility when a attack happens. To run a web application, a web browser is definitely needed. That too in these modern needs a web browser should be fast, easy, simple and secured. But the vulnerabilities make that too hard to satisfy it.
Vulnerabilities in Web
When we say vulnerabilities, it points the weakness / loss of ability to protect in our own developed system. The weakness should be identified before an outsider finds out and they have to be counter-measured to overcome in any risk related issues. There are many types of vulnerabilities that are proposed for many websites through continuous research in the web development. If one vulnerability develops in a web system, then it may lead to many vulnerabilities as they have the ability to self-replicate. The cost of rectifying a vulnerability is low when we found them in a early stages of web development. The Vulnerabilities in a web system can happen because of insufficient testing before a website launch, lack of design flaw in the internal architecture of a system and in some cases the lack of providing the security measures will lead to major vulnerability in a web page. As we speak of the web page, they are usually surrounded by another universe that we can’t see in our eyes, that is to be imagined. Anything can happen, anyone can come look at a glance, anywhere an attack can happen.
The development of an web page includes the phases of SDLC and more importantly includes a separate lifecycle model proposed as Security Development Life Cycle. In this review paper a series of research works done around the web development by the researchers around the world will be taken a glance such as,
Security in SDLC
The first step in every SDLC is to collect the resources and organize it make an analysis for the next step to continue. From here, security can be implemented by including the security features as the resources and how to implement as an analysis. The next step is the requirements analysis, the importance of a security requirements analysis is as important as the requirements analysis for an software development. Security Requirements has become one of the main concerns when developing security software. This is supported by previous studies that highlighted that the fundamental failure in software project implementation is the failure to define effective security requirements. Requirements engineers to have good security experience in security requirements elicitation and analysis. It is identified that the majority of requirements engineers lack of knowledge and skills on security elements and they always face difficulties to capture and understand the security terms. This situation usually results in the security requirements of a software system to be error-prone, inconsistency and incomplete, leading to unsecured software systems. A security requirement serves as a complementary to the functional requirement of a system. Security requirements are commonly based an analysis of the assets and services to be protected and the security threats from which these assets and services should be protected. Therefore, it is vital to consider the security of the requirements right from the beginning of the development process.
Security in Web Browsers
The main requirement of a web page to run is the availability in a web browser. An impeccable study by the University of York tells us that the majority of attacks that are happening to the web sites because of the vulnerabilities unidentified in the web browser architecture. Web was designed for browsing static web pages and reading content. With the recent technological improvements, the Web has become a platform for application development. The turning point was invention and adoption of AJAX technology which turned from the old concept of static web pages to the new concept of creating interactive web applications. AJAX and similar web application development technologies, often referred to collectively as Web 2.0 technologies, led to the creation of variety of numerous worldwide-oriented web applications. Contemporary web applications like e-banking, e-commerce, social-networking sites, blogs, and video-sharing sites provide users not just the ability to view information and access content, but also the ability to contribute and create their own content on the Web, express their creativity and share knowledge and information with others. This ability to do anything you want within a web browser make the browser more open and more loss of protection. But because of this issue the denial of works to be made by web page cannot be restricted, instead many security mechanisms should be implemented in order to provide the secure architecture environment to user as well as the developers who are developing web applications. In order to protect the user, some browsers enforce strict security policy, which isolates applications inside the browser by their origin and does not allow sub resources from other origins. Such a restrictive policy would require architectural restructuring of existing Web. On the other side, users expect browsers to be compatible with the existing Web architecture and render their popular applications. The desirable goal in browser design is to achieve user’s protection and still to provide compatibility with existing web applications.
In coming reviews, many related works will be taken to review such as,
Security Testing in Web Background
Software Security in Web Architecture
Security models in current industry
Web Application security: Testing
and many more to make a systematic analysis to peer-review a complete background of the web development and the vulnerabilities in web security. Number of reported web applications vulnerabilities is increasing dramatically. Most of them result from improper or none input validation by the web application.
1 . Andrews, M.: “The State of Web Security”. IEEE Security & Privacy, vol. 4, no. 4, pp. 14-15 (2006).
2 . Auronen, L.: “Tool-Based Approach to Assessing Web Application Security”. Seminar on Network Security (2002).
3 . C. Grier, S. Tang, S. T. King: “Secure web browsing with the OP web browser”, 2008 IEEE Symposium on Security and Privacy.
4 . R. S. Cox, J. G. Hansen, S. D. Gribble, H. M. Levy: “A Safety-Oriented Platform for Web Applications”, 2006 IEEE Symposium on Security and Privacy.
5 . K. Schneider, E. Knauss, S. Houmb, S. Islam, and J. Jürjens, “Enhancing security requirements engineering by organizational learning,” Requirements Engineering, vol. 17, no. 1, Nov. 2011, pp. 35–56..