Interactive Programming Support for Secure Software Development
1 online resource (179 pages) : PDF
University of North Carolina at Charlotte
Software vulnerabilities originating from insecure code are one of the leading causes of security problems people face today. Unfortunately, many software developers have not been adequately trained in writing secure programs that are resistant from attacks violating program confidentiality, integrity, and availability, a style of programming which I refer to as secure programming. Worse, even well-trained developers can still make programming errors, including security ones. This may be either because of their lack of understanding of secure programming practices, and/or their lapses of attention on security. Much work on software security has focused on detecting software vulnerabilities through automated analysis techniques. While they are effective, they are neither sufficient nor optimal. For instance, current tool support for secure programming, both from tool vendors as well as within the research community, focuses on catching security errors after the program is written. Tools such as static and dynamic analyzers work in a similar way as early compilers: developers must first run the tool, obtain and analyze results, diagnose programs, and finally fix the code if necessary. Thus, these tools tend to be used to find vulnerabilities at the end of the development lifecycle. Their popularity, however, does not guarantee utilization; other business priorities may take precedence. Moreover, using such tools often requires some security expertise, thus can be costly. What is worse, these approaches exclude programmers from the security loop, and therefore, do not discourage them from continuing to write insecure code. In this dissertation, I investigate an approach to increasing developer awareness and promoting good practices of secure programming by interactively reminding programmers of secure programming practices in situ, helping them to either close the secure programming knowledge gap or overcome attention/memory lapses. More specifically, I designed two techniques to help programmers prevent common secure coding errors: interactive code refactoring and interactive code annotation. My thesis is that by providing effective reminder support in a programming environment, e.g. modern IDE, one can effectively reduce common security vulnerabilities in software systems. I have implemented interactive code refactoring as a proof-of-concept plugin for Eclipse and Java. Extensive evaluation results show that this approach can detect and address common web application vulnerabilities, it can also serve as an effective aid for programmers in writing secure code. My approach can also effectively complement existing software security best practices and significantly increase developer productivity. I have also implemented interactive code annotation, and conduct user studies to investigate its effectiveness and impact on developers' programming behaviors and awareness towards writing secure code.
DEVELOPER STUDYINTERACTIVE SUPPORT IN IDESECURE PROGRAMMINGSOFTWARE DEVELOPMENTSOFTWARE SECURITY
Chu, BillLipford, Heather
Ko, AndrewWu, XintaoBrown, Mary
Thesis (Ph.D.)--University of North Carolina at Charlotte, 2012.
This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s). For additional information, see http://rightsstatements.org/page/InC/1.0/.
Copyright is held by the author unless otherwise indicated.