Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications

Priya Anand, Jungwoo Ryoo

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations

Abstract

Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages25-31
Number of pages7
ISBN (Electronic)9781538648087
DOIs
StatePublished - Jun 21 2018
Event3rd International Conference on Software Security and Assurance, ICSSA 2017 - Altoona, United States
Duration: Jul 24 2017Jul 25 2017

Publication series

NameProceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017

Other

Other3rd International Conference on Software Security and Assurance, ICSSA 2017
Country/TerritoryUnited States
CityAltoona
Period7/24/177/25/17

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications'. Together they form a unique fingerprint.

Cite this