Measuring developers’ web security awareness from attack and defense perspectives

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Downloads (Pure)

Abstract

Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers’ familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients’ ability to intercept and modify all parts of an HTTP request. Moreover, developers’ attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.
Original languageEnglish
Title of host publication43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022
Subtitle of host publicationproceedings
EditorsLisa O'Conner
Place of PublicationPiscataway, NJ
PublisherIEEE
Pages31-43
Number of pages13
ISBN (Electronic)9781665496438
ISBN (Print)9781665496445
DOIs
Publication statusPublished - 25 Jul 2022
EventThird Workshop of Designing Security for the Web - San Francisco, United States
Duration: 26 May 202226 May 2022
Conference number: 3rd
https://secweb.work/2022.html

Publication series

NameIEEE Security and Privacy Workshops
PublisherIEEE
ISSN (Print)2639-7862
ISSN (Electronic)2770-8411

Workshop

WorkshopThird Workshop of Designing Security for the Web
Abbreviated titleSecWeb 2022
Country/TerritoryUnited States
CitySan Francisco
Period26/05/2226/05/22
Internet address

Keywords

  • Web
  • Framework
  • Security awareness
  • Secure software development
  • CTF

Cite this