Measuring developers’ web security awareness from attack and defense perspectives

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)
478 Downloads (Pure)


Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers’ familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients’ ability to intercept and modify all parts of an HTTP request. Moreover, developers’ attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.
Original languageEnglish
Title of host publication43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022
Subtitle of host publicationproceedings
EditorsLisa O'Conner
Place of PublicationPiscataway, NJ
Number of pages13
ISBN (Electronic)9781665496438
ISBN (Print)9781665496445
Publication statusPublished - 25 Jul 2022
EventThird Workshop of Designing Security for the Web - San Francisco, United States
Duration: 26 May 202226 May 2022
Conference number: 3rd

Publication series

NameIEEE Security and Privacy Workshops
ISSN (Print)2639-7862
ISSN (Electronic)2770-8411


WorkshopThird Workshop of Designing Security for the Web
Abbreviated titleSecWeb 2022
Country/TerritoryUnited States
CitySan Francisco
Internet address


  • Web
  • Framework
  • Security awareness
  • Secure software development
  • CTF


Dive into the research topics of 'Measuring developers’ web security awareness from attack and defense perspectives'. Together they form a unique fingerprint.

Cite this