Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications

Priya Anand, Jungwoo Ryoo

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages25-31
Number of pages7
ISBN (Electronic)9781538648087
DOIs
StatePublished - Jun 21 2018
Event3rd International Conference on Software Security and Assurance, ICSSA 2017 - Altoona, United States
Duration: Jul 24 2017Jul 25 2017

Other

Other3rd International Conference on Software Security and Assurance, ICSSA 2017
CountryUnited States
CityAltoona
Period7/24/177/25/17

Fingerprint

Experiments

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Cite this

Anand, P., & Ryoo, J. (2018). Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications. In Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017 (pp. 25-31). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICSSA.2017.30
Anand, Priya ; Ryoo, Jungwoo. / Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications. Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 25-31
@inproceedings{24cc2c21f9204c3387a5370ddb9c21cc,
title = "Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications",
abstract = "Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.",
author = "Priya Anand and Jungwoo Ryoo",
year = "2018",
month = "6",
day = "21",
doi = "10.1109/ICSSA.2017.30",
language = "English (US)",
pages = "25--31",
booktitle = "Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
address = "United States",

}

Anand, P & Ryoo, J 2018, Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications. in Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017. Institute of Electrical and Electronics Engineers Inc., pp. 25-31, 3rd International Conference on Software Security and Assurance, ICSSA 2017, Altoona, United States, 7/24/17. https://doi.org/10.1109/ICSSA.2017.30

Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications. / Anand, Priya; Ryoo, Jungwoo.

Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017. Institute of Electrical and Electronics Engineers Inc., 2018. p. 25-31.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications

AU - Anand, Priya

AU - Ryoo, Jungwoo

PY - 2018/6/21

Y1 - 2018/6/21

N2 - Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.

AB - Security patterns are solutions for a recurring security issues that can be applied to mitigate security weaknesses in a software system. With an increased number of security patterns, the selection of a precise pattern to mitigate a vulnerability may become a challenging for software developers. When an appropriate pattern is identified as a potential solution by a software professional, applying that pattern and its level of integration is purely dependent on the software experts' skill and knowledge. Also, adopting the security pattern at an architectural level may be a time consuming and cumbersome task for software developers. To help the software developers' community by making this pattern implementation to be a relatively easy task, we developed a tool named - SPAAS - Security Patterns As Architectural Solution. This tool would automate the process of implementing the selected security pattern in the software system at an architectural level. Our tool was developed to assess potential vulnerabilities at an architectural level and possible fixes by adopting the selected security patterns. This tool checks the possibility of security patterns that have been already implemented in the system and accurately reports the results. In this paper, we demonstrate the use of our tool by conducting a case study on an open-source medical software, OpenEMR. Our analysis on OpenEMR software using the SPAAS tool pointed out the vulnerable source codes in the system that have been missed by some generic vulnerability assessment tools. Using our tool, we implemented the input validation pattern as a solution to mitigate cross-site scripting attacks. Using our pattern application tool, SPAAS, we analyzed OpenEMR software that has 121819 lines of codes. Our experiment on OpenEMR software that are vulnerable to XSS attacks took 2.03 seconds, and reported the presence of 341 spots of vulnerable codes from a total of 121819 lines of source code. We used our tool to implement intercepting validator pattern on those 341 lines, and we could successfully implement the patterns in 2.28 seconds at an architectural level. Our modified version of OpenEMR with security patterns implementation is presented to its software architect and it would be merged as a security solution in the repository. Without a deep understanding of security patterns, any software professional can implement the security pattern at an architectural level using our proposed tool, SPAAS.

UR - http://www.scopus.com/inward/record.url?scp=85050536106&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85050536106&partnerID=8YFLogxK

U2 - 10.1109/ICSSA.2017.30

DO - 10.1109/ICSSA.2017.30

M3 - Conference contribution

AN - SCOPUS:85050536106

SP - 25

EP - 31

BT - Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Anand P, Ryoo J. Security Patterns As Architectural Solution - Mitigating Cross-Site Scripting Attacks in Web Applications. In Proceedings - 2017 International Conference on Software Security and Assurance, ICSSA 2017. Institute of Electrical and Electronics Engineers Inc. 2018. p. 25-31 https://doi.org/10.1109/ICSSA.2017.30