{"title":"Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications","authors":"Priya Anand, J. Ryoo","doi":"10.1109/ICSSA.2017.30","DOIUrl":null,"url":null,"abstract":"Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.","PeriodicalId":307280,"journal":{"name":"2017 International Conference on Software Security and Assurance (ICSSA)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Software Security and Assurance (ICSSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSSA.2017.30","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.