Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives

2022 IEEE Security and Privacy Workshops (SPW) Pub Date : 2022-05-01 DOI:10.1109/spw54247.2022.9833858

Merve Sahin, Tolga Ünlü, Cédric Hébert, Lynsay A. Shepherd, Natalie J. Coull, Colin McLean

{"title":"Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives","authors":"Merve Sahin, Tolga Ünlü, Cédric Hébert, Lynsay A. Shepherd, Natalie J. Coull, Colin McLean","doi":"10.1109/spw54247.2022.9833858","DOIUrl":null,"url":null,"abstract":"Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers’ familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients’ ability to intercept and modify all parts of an HTTP request. Moreover, developers’ attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.","PeriodicalId":334852,"journal":{"name":"2022 IEEE Security and Privacy Workshops (SPW)","volume":"101 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Security and Privacy Workshops (SPW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/spw54247.2022.9833858","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers’ familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients’ ability to intercept and modify all parts of an HTTP request. Moreover, developers’ attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.

查看原文本刊更多论文

从攻击和防御的角度衡量开发人员的Web安全意识

Web应用程序是信息系统中面向公众的组件，这使得它们很容易成为各种攻击的切入点。虽然实现适当的安全控制通常是web开发人员的责任，但对整个攻击面有一个很好的理解对他们来说仍然是一个挑战。本文旨在了解开发人员对一些web攻击和防御机制的熟悉程度。特别地，我们进行了两个不同的实验:首先，我们采用问卷调查来了解可感知的攻击面和通常考虑的安全控制类型。其次，我们设计了一个夺旗挑战，旨在推动参与者在给定的web应用程序上发现尽可能多的攻击点。我们发现，三分之一的开发人员没有意识到客户端能够拦截和修改HTTP请求的所有部分。此外，开发人员的攻击意识集中在有限的一组攻击上(例如跨站点脚本和SQL注入)，而忽略了大部分攻击面。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE Security and Privacy Workshops (SPW)

自引率

0.00%

发文量