Software developers build complex systems using plenty of third-party libraries. Documentation is key to understand and use the functionality provided via the libraries' APIs. Therefore, functionality is the main ...
详细信息
Software developers build complex systems using plenty of third-party libraries. Documentation is key to understand and use the functionality provided via the libraries' APIs. Therefore, functionality is the main focus of contemporary API documentation, while cross-cutting concerns such as security are almost never considered at all, especially when the API itself does not provide security features. Documentations of JavaScript libraries for use in web applications, e.g., do not specify how to add or adapt a Content Security Policy (CSP) to mitigate content injection attacks like Cross-Site Scripting (XSS). This is unfortunate, as security-relevant API documentation might have an influence on secure coding practices and prevailing major vulnerabilities such as XSS. For the first time, we study the effects of integrating security-relevant information in non-security API documentation. For this purpose, we took CSP as an exemplary study object and extended the official Google Maps JavaScript API documentation with security-relevant CSP information in three distinct manners. Then, we evaluated the usage of these variations in a between-group eye-tracking lab study involving N=49 participants. Our observations suggest: (1) Developers are focused on elements with code examples. They mostly skim the documentation while searching for a quick solution to their programming task. This finding gives further evidence to results of related studies. (2) The location where CSP-related code examples are placed in non-security API documentation significantly impacts the time it takes to find this security-relevant information. In particular, the study results showed that the proximity to functional-related code examples in documentation is a decisive factor. (3) Examples significantly help to produce secure CSP solutions. (4) Developers have additional information needs that our approach cannot meet. Overall, our study contributes to a first understanding of the impact of security-r
Building a secure software product is required understandings of security principles and guidelines for the securecoding in terms of programming languages to develop safe, reliable, and secure systems in software dev...
详细信息
ISBN:
(纸本)9781479919666
Building a secure software product is required understandings of security principles and guidelines for the securecoding in terms of programming languages to develop safe, reliable, and secure systems in software development process. Therefore, knowledge transferring is required and influenced to the most effective secure software development project. This paper proposes a knowledge transfer framework for secure coding practices with guidance for the development of secure software product and how the framework could be applied in the telecommunication industry. A set of knowledge transfer activities is specified which aligns for securecoding. Finally, the implementation of a knowledge transfer framework for secure coding practices could mitigate at least the most common mistakes in software development processes.
Cybersecurity vulnerabilities are typically addressed through the implementation of various cybersecurity controls. These controls can be operational, technical or physical in nature. The focus of this paper is on tec...
详细信息
ISBN:
(纸本)9783030234515;9783030234508
Cybersecurity vulnerabilities are typically addressed through the implementation of various cybersecurity controls. These controls can be operational, technical or physical in nature. The focus of this paper is on technical controls with a specific focus on securing web applications. The secure coding practices used in this research are based on OWASP. An initial investigation found that there was a general lack of adherence to these secure coding practices by third year software development students doing their capstone project at a South African University. This research therefore focused on addressing this problem by developing an educational intervention to teach secure coding practices, specifically focusing on the data access layer of web applications developed in the .NET environment. Pre-tests and post-tests were conducted in order to determine the effectiveness of the intervention. Results indicated an increase in both knowledge and behaviour regarding the identified secure coding practices after exposure to the intervention.
Researchers have proposed multiple solutions to cross-site scripting, but vulnerabilities continue to exist in many Web applications due to developers' lack of understanding of the problem and their unfamiliarity ...
详细信息
Researchers have proposed multiple solutions to cross-site scripting, but vulnerabilities continue to exist in many Web applications due to developers' lack of understanding of the problem and their unfamiliarity with current defenses' strengths and limitations.
Although no single tool or technique can guard against the host of possible attacks, a defense-in-depth approach, with overlapping protections, can help secure Web applications.
Although no single tool or technique can guard against the host of possible attacks, a defense-in-depth approach, with overlapping protections, can help secure Web applications.
Many of the software security vulnerabilities that people face today can be remediated through secure coding practices. A critical step toward the practice of securecoding is ensuring that our computing students are ...
详细信息
Many of the software security vulnerabilities that people face today can be remediated through secure coding practices. A critical step toward the practice of securecoding is ensuring that our computing students are educated on these practices. We argue that securecoding education needs to be included across a computing curriculum. We are examining an approach that complements traditional classroom instruction by turning the student's integrated development environment into an educational resource for securecoding instruction. In this article, we report on two formative and one summative study using our tool Educational Security in the Integrated Development Environment (ESIDE) in early and intermediate computer science programming courses. Our results support the viability of this approach to increase secure programming knowledge and awareness of students and also to identify several challenges for maximizing the learning opportunities within programming courses.
The security aspect of software applications is considered as the important aspect that can reflect the ability of a system to prevent data exposures and loss of information. For businesses that rely on software solut...
详细信息
ISBN:
(纸本)9783030356293;9783030356286
The security aspect of software applications is considered as the important aspect that can reflect the ability of a system to prevent data exposures and loss of information. For businesses that rely on software solutions to keep operations running, a failure of a software solution can stop production, interrupt processes, and may lead to data breaches and financial losses. Many software developers are not competent in secure programming. This leads to risks that are caused by vulnerabilities in the application code of software applications. Although various techniques for writing secure code are known, these techniques are rarely fundamental components of a computing curriculum. This paper proposes the teaching of secure programming through a step-by-step approach. Our approach includes the identification of application risks and secure coding practices as they relate to each other and to basic programming concepts. We specifically aim to guide educators on how to teach secure programming in the .Net environment.
This systematic review explores the integration of security practices into Agile software development. Through a comprehensive analysis of academic papers, industry reports, and case studies, the review identifies key...
详细信息
This research paper examines mobile application security, focusing on data masking and tokenisation, which are essential for protecting sensitive data on Android and iOS platforms. It delves into platform-specific vul...
详细信息
暂无评论