TY - GEN
T1 - Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications
AU - Anand, Priya
AU - Ryoo, Jungwoo
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2018/6/21
Y1 - 2018/6/21
N2 - Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.
AB - Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.
UR - http://www.scopus.com/inward/record.url?scp=85050536106&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85050536106&partnerID=8YFLogxK
U2 - 10.1109/ICSSA.2017.30
DO - 10.1109/ICSSA.2017.30
M3 - Conference contribution
AN - SCOPUS:85050536106
T3 - Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017
SP - 25
EP - 31
BT - Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 3rd International Conference on Software Security and Assurance, ICSSA 2017
Y2 - 24 July 2017 through 25 July 2017
ER -