Open Source Web-Based Software: Security Challenges and Assessment Methodologies

Faraz Idris Khan *, Mamdouh Alenezi**
*-** Prince Sultan University, Riyadh, Saudi Arabia.
Periodicity:July - September'2019
DOI : https://doi.org/10.26634/jse.14.1.16467

Abstract

Open-source software is widely being adopted by developers due to their ease of accessibility over the internet. The increasing popularity of this kind of software development model has led to a huge number of such projects that exist on the internet. Since it is open access and the code is freely distributed, people usually face security issues when using them. The number of developers involved in such projects is thousands in number and likewise, the number of users using such projects is million in numbers. The purpose of this work is to discuss the security challenges and vulnerabilities of webbased open-source software systems. The work starts with a discussion of the common security assessment methodologies usually practiced by development teams to ensure security in such kind of software. The aim of this work is to create an updated reference or guide for developers wanting to use web-based open source systems securely.

Keywords

Open Source Software, Software Security, Open Source Web Application Security, Security Assessment Methodology.

How to Cite this Article?

Khan, F. I., & Alenezi, M. (2019). Open Source Web-Based Software: Security Challenges and Assessment Methodologies. i-manager's Journal on Software Engineering, 14(1), 42-52. https://doi.org/10.26634/jse.14.1.16467

References

[1]. Abunadi, I., & Alenezi, M. (2015, September). Towards cross project vulnerability prediction in open source web applications. In Proceedings of the The International Conference on Engineering & MIS 2015 (p. 42). ACM. https://doi.org/10.1145/2832987.2833051
[2]. Abunadi, I., & Alenezi, M. (2016). An empirical investigation of security vulnerabilities within web applications. Journal of Universal Computer Science, 22(4), 537-551.
[3]. Alenezi, M., & Javed, Y. (2016). Developer companion: A framework to produce secure web applications. International Journal of Computer Science and Information Security, 14(7), 12-16.
[4]. Álvarez, G., & Petrović, S. (2003). A new taxonomy of web attacks suitable for efficient encoding. Computers & Security, 22(5), 435-449. https://doi.org/10.1016/S0167- 4048(03)00512-1
[5]. Anbalagan, P., & Vouk, M. (2009, November). Towards a unifying approach in understanding security problems. In 2009 20th International Symposium on Software Reliability Engineering (pp. 136-145). IEEE. https://doi.org/10.1109/ ISSRE.2009.25
[6]. Arkin, B., Stender, S., & McGraw, G. (2005). Software penetration testing. IEEE Security & Privacy, 3(1), 84-87. https://doi.org/10.1109/MSP.2005.23
[7]. Atashzar, H., Torkaman, A., Bahrololum, M., & Tadayon, M. H. (2011, November). A survey on web application vulnerabilities and countermeasures. In 2011 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT) (pp. 647- 652). IEEE.
[8]. Christey, S. (2007). Unforgivable Vulnerabilities. Black Hat Briefings, 13, 1-17.
[9]. Christey, S., & Martin, R. A. (2007). Vulnerability Type Distributions in CVE. Retrieved from https://cve.mitre.org/ docs/vuln-trends/index.html
[10]. Christmansson, J., & Chillarege, R. (1996, June). Generation of an error set that emulates software faults based on field data. In Proceedings of Annual Symposium on Fault Tolerant Computing (pp. 304-313). IEEE. https://doi.org/10.1109/FTCS.1996.534615
[11]. Curphey, M., Endler, D., Hau, W., Taylor, S., Smith, T., Russell, A., ... & Klien, A. (2002). A guide to building secure web applications. The Open Web Application Security Project, 1(1), 1-63.
[12]. Dalton, M., Kozyrakis, C., & Zeldovich, N. (2009). Nemesis: preventing authentication and access control vulnerabilities in web applications. SENIX UNIX Security Symposium, 1-17.
[13]. Grossman, J., Fogie, S., Hansen, R., Rager, A., & Petkov, P. D. (2007). XSS Attacks: Cross Site Scripting Exploits and Defense. Burlington, MA: Syngress.
[14]. Gupta, S., & Gupta, B. B. (2018). XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud. Multimedia Tools and Applications, 77(4), 4829-4861. https://doi.org/10. 1007/s11042-016-3735-1
[15]. Herter, J., Kästner, D., Mallon, C., & Wilhelm, R. (2017). Benchmarking static code analyzers. International Conference on Computer Safety, Reliability, and Security (pp 197-212) , Springer, Cham. https://doi.org/10.1007/ 978-3-319-66266-4_13
[16]. Howard, M., & LeBlanc, D. (2003). Writing Secure Code. Pearson Education.
[17]. IBM Global Technology Services. (2008). IBM Internet Security Systems X-Force 2008 Mid-Year Trend Statistics. Retrieved from http://www-935.ibm.com/services/us/ iss/xforce/midyearreport/
[18]. IBM X-Force 2012 Trend and Risk Report. (2013). Retrieved from https://webcache.googleusercontent. com/search?q=cache:1eLyS55d40UJ:https://www.ibm.c om/ibm/files/I218646H25649F77/Risk_Report.pdf+&cd=1 &hl=en&ct=clnk&gl=in
[19]. Jaatun, M. G., Bernsmed, K., Cruzes, D. S., & Tøndel, I. A. (2019). Threat modeling in agile software development. In Exploring Security in Software Architecture and Design (pp. 1-14). IGI Global. https://doi.org/10.4018/978-1-5225- 6313-6.ch001
[20]. Jat, S. C., Lamba, C. S., & Rathore, V. S. (2019). Software quality improvement through penetration testing. In Emerging Trends in Expert Applications and Security (pp. 239-244). Springer, Singapore. https://doi.org/10.1007/ 978-981-13-2285-3_29
[21]. Khalid, M. N., Farooq, H., Iqbal, M., Alam, M. T., & Rasheed, K. (2018, October). Predicting web vulnerabilities in web applications based on machine learning. In International Conference on Intelligent Technologies and Applications (pp. 473-484). Springer, Singapore. https://doi.org/10.1007/978-981-13-6052- 7_41
[22]. Khandelwal, S., Shah, P., Bhavsar, M. K., & Gandhi, D. S. (2013). Frontline techniques to prevent web application vulnerability. International Journal Advanced Research in Computer Science and Electronics Engineering, 2(2), 208-213.
[23]. Kim, W., Jeong, O. R., Kim, C., & So, J. (2011). The dark side of the Internet: Attacks, costs and responses. Information Systems, 36(3), 675-705. https://doi.org/10. 1016/j.is.2010.11.003
[24]. Kindy, D. A., & Pathan, A. S. K. (2011, June). A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE) (pp. 468-471). IEEE. https://doi.org/10.1109/ISCE.2011.5973873
[25]. Klein, A. (2002). Hacking Web Applications using Cookie Poisoning. Retrieved from http://www.cgisecurity. com/lib/CookiePoisoningByline.pdf
[26]. Kobashi, T., Washizaki, H., Yoshioka, N., Kaiya, H., Okubo, T., & Fukazawa, Y. (2019). Designing secure software by testing application of security patterns. In Exploring Security in Software Architecture and Design (pp. 136-169). IGI Global. https://doi.org/10.4018/978-1-5225- 6313-6.ch006
[27]. Kombade, R. D., & Meshram, B. B. (2012). CSRF vulnerabilities and defensive techniques. International Journal of Computer Network and Information Security, 4(1), 31-37. https://doi.org/10.5815/ijcnis.2012.01.04
[28]. Krax, M. (2005). Mozilla Foundation Security Advisory. Rerieved from https://webcache.googleusercontent. com/search?q=cache:RuvC-wSTfVoJ:https://www. mozilla.org/en-US/security/advisories/+&cd=1&hl=en& ct=clnk&gl=in
[29]. Lawton, G. (2007). Web 2.0 creates security challenges. Computer, 40(10), 13-16. https://doi.org/10. 1109/MC. 2007.367
[30]. Livshits, V. B., & Lam, M. S. (2005, July). Finding security th vulnerabilities in java applications with static analysis. In 14 USENIX Security Symposium, 14, 271-286.
[31]. Mays, R. G., Jones, C. L., Holloway, G. J., & Studinski, D. P. (1990). Experiences with defect prevention. IBM Systems Journal, 29(1), 4-32. https://doi.org/10.1147/sj. 291.0004
[32]. Medeiros, I., Neves, N., & Correia, M. (2015). Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Transactions on Reliability, 65(1), 54-69. https://doi.org/10.1109/TR.2015. 2457411
[33]. Mohammadi, M., Chu, B., Lipford, H. R., & Murphy- Hill, E. (2016, May). Automatic web security unit testing: XSS th vulnerability detection. In 2016 IEEE/ACM 11 International Workshop in Automation of Software Test (AST) (pp. 78-84). IEEE.
[34]. Nagappan, N., Williams, L., Hudepohl, J., Snipes, W., & Vouk, M. (2004, November). Preliminary results on using th static analysis tools for software inspection. In 15th International Symposium on Software Reliability Engineering (pp. 429-439). IEEE. https://doi.org/10.1109/ ISSRE.2004. 30
[35]. NetContinuum, Inc. (n. d). Retrieved from https://www.netcontinuum.com/securityCentral/TopThreat Types/index.cfm
[36]. Neuhaus, S., & Zimmermann, T. (2010, November). Security trend analysis with CVE topic models. In 2010 IEEE 21st International Symposium on Software Reliability Engineering (pp. 111-120). IEEE. https://doi.org/10.1109/ ISSRE.2010. 53
[37]. NTA. (n. d). Retrieved from https://nta.intertek.com/
[38]. Open Web Application Security Project. (n.d). The Ten Most Critical Web Application Security Vulnerabilities. Retrieved from https://blog.sucuri.net/2019/01/owasp-top- 10-security-risks-part-v.html
[39]. OWASP Foundation. (2010). Retrieved from https://www.owasp.org/index.php/Top_10_2010-Main
[40]. OWASP Guide Project. (2016). Retrieved from https://webcache.googleusercontent.com/search?q=ca che:y0hFtIbXrYYJ:https://www.owasp.org/index.php/OWAS P_Guide_Project+&cd=1&hl=en&ct=clnk&gl=in
[41]. Park, J. H., Jung, I. Y., & Kim, S. J. (2014). Enhanced CSRF defense using a secret value between server and user. The Journal of Korean Institute of Communications and Information Sciences, 39(3), 162-168. https://doi.org/ 10.7840/kics.2014.39B.3.162
[42]. Richardson, R. (2007). 12 Annual CSI Computer Crime and Security Survey. Retreieved from http://www.sis. pitt.edu/jjoshi/courses/IS2150/Fall13/CSIFBI2007.pdf
[43]. Swiderski, F., & Snyder, W. (2004). Threat Modeling st (Microsoft Professional) 1 Edition. Microsoft Press.
[44]. Tyagi, S., & Kumar, K. (2018, December). Evaluation of Static Web Vulnerability Analysis Tools. In 2018 Fifth International Conference on Parallel, Distributed and Grid Computing (PDGC) (pp. 1-6). IEEE. https://doi.org/10.1109/ PDGC. 2018.8745996
[45]. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., & Vigna, G. (2007, February). Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, 2007, 1-12.
[46]. Watson, D. (2007). Web application attacks. Network Security, 2007(11), 7-12.
[47]. Yorozu, T., Hirano, M., Oka, K., & Tagawa, Y. (1987). Electron spectroscopy studies on magneto-optical media and plastic substrate interface. IEEE Translation Journal on Magnetics in Japan, 2(8), 740-741. https://doi.org/10. 1109/TJMJ. 1987.4549593
[48]. Young, M. (1989). The Technical Writer's Handbook. Mill Valley, CA: University Science.
If you have access to this article please login to view the article or kindly login to purchase the article

Purchase Instant Access

Single Article

North Americas,UK,
Middle East,Europe
India Rest of world
USD EUR INR USD-ROW
Online 15 15

Options for accessing this content:
  • If you would like institutional access to this content, please recommend the title to your librarian.
    Library Recommendation Form
  • If you already have i-manager's user account: Login above and proceed to purchase the article.
  • New Users: Please register, then proceed to purchase the article.