Measuring developers’ web security awareness from attack and defense perspectives

Merve Sahin; Tolga Ünlü; Cédric Hebert; Lynsay A. Shepherd; Natalie Coull; Colin McLean

doi:10.1109/SPW54247.2022.9833858

Measuring developers’ web security awareness from attack and defense perspectives

Merve Sahin, Tolga Ünlü, Cédric Hebert, Lynsay A. Shepherd, Natalie Coull, Colin McLean

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

163 Downloads (Pure)

Abstract

Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers’ familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients’ ability to intercept and modify all parts of an HTTP request. Moreover, developers’ attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.

Original language	English
Title of host publication	43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022
Subtitle of host publication	proceedings
Editors	Lisa O'Conner
Place of Publication	Piscataway, NJ
Publisher	IEEE
Pages	31-43
Number of pages	13
ISBN (Electronic)	9781665496438
ISBN (Print)	9781665496445
DOIs	https://doi.org/10.1109/SPW54247.2022.9833858
Publication status	Published - 25 Jul 2022
Event	Third Workshop of Designing Security for the Web - San Francisco, United States Duration: 26 May 2022 → 26 May 2022 Conference number: 3rd https://secweb.work/2022.html

Publication series

Name	IEEE Security and Privacy Workshops
Publisher	IEEE
ISSN (Print)	2639-7862
ISSN (Electronic)	2770-8411

Workshop

Workshop	Third Workshop of Designing Security for the Web
Abbreviated title	SecWeb 2022
Country/Territory	United States
City	San Francisco
Period	26/05/22 → 26/05/22
Internet address	https://secweb.work/2022.html

Keywords

Web
Framework
Security awareness
Secure software development
CTF

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1109/SPW54247.2022.9833858

Shepherd_MeasuringDevelopers'Web_Author_2022Accepted author manuscript, 680 KB

Cite this

Sahin, M., Ünlü, T., Hebert, C., Shepherd, L. A., Coull, N., & McLean, C. (2022). Measuring developers’ web security awareness from attack and defense perspectives. In L. O'Conner (Ed.), 43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022: proceedings (pp. 31-43). [9833858] (IEEE Security and Privacy Workshops). IEEE . https://doi.org/10.1109/SPW54247.2022.9833858

@inproceedings{6cfc29eb7dfc4285924c9fe1c6074d10,

title = "Measuring developers{\textquoteright} web security awareness from attack and defense perspectives",

abstract = "Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers{\textquoteright} familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients{\textquoteright} ability to intercept and modify all parts of an HTTP request. Moreover, developers{\textquoteright} attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.",

author = "Merve Sahin and Tolga {\"U}nl{\"u} and C{\'e}dric Hebert and Shepherd, {Lynsay A.} and Natalie Coull and Colin McLean",

note = "Funding Information: ACKNOWLEDGEMENTS The authors extend their appreciation to the Deanship of Scientific Research at King Saud University for funding this work through research group no. RGP-VPP-235. Publisher Copyright: {\textcopyright} 2022 IEEE.; Third Workshop of Designing Security for the Web, SecWeb 2022 ; Conference date: 26-05-2022 Through 26-05-2022",

year = "2022",

month = jul,

day = "25",

doi = "10.1109/SPW54247.2022.9833858",

language = "English",

isbn = "9781665496445",

series = "IEEE Security and Privacy Workshops",

publisher = "IEEE ",

pages = "31--43",

editor = "Lisa O'Conner",

booktitle = "43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022",

url = "https://secweb.work/2022.html",

}

Sahin, M, Ünlü, T, Hebert, C, Shepherd, LA , Coull, N & McLean, C 2022, Measuring developers’ web security awareness from attack and defense perspectives. in L O'Conner (ed.), 43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022: proceedings., 9833858, IEEE Security and Privacy Workshops, IEEE , Piscataway, NJ, pp. 31-43, Third Workshop of Designing Security for the Web, San Francisco, United States, 26/05/22. https://doi.org/10.1109/SPW54247.2022.9833858

Measuring developers’ web security awareness from attack and defense perspectives. / Sahin, Merve; Ünlü, Tolga; Hebert, Cédric et al.
43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022: proceedings. ed. / Lisa O'Conner. Piscataway, NJ: IEEE , 2022. p. 31-43 9833858 (IEEE Security and Privacy Workshops).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Measuring developers’ web security awareness from attack and defense perspectives

AU - Sahin, Merve

AU - Ünlü, Tolga

AU - Hebert, Cédric

AU - Shepherd, Lynsay A.

AU - Coull, Natalie

AU - McLean, Colin

N1 - Conference code: 3rd

PY - 2022/7/25

Y1 - 2022/7/25

N2 - Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers’ familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients’ ability to intercept and modify all parts of an HTTP request. Moreover, developers’ attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.

AB - Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand developers’ familiarity with a number of web attack and defense mechanisms. In particular, we conducted two different experiments: First, we employed a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we designed a Capture the Flag challenge aiming to push participants to discover as many attack points as possible on a given web application. We found that one third of developers are not aware of the clients’ ability to intercept and modify all parts of an HTTP request. Moreover, developers’ attack awareness focuses on a limited set of attacks (such as Cross-site scripting and SQL injection), overlooking a large part of the attack surface.

U2 - 10.1109/SPW54247.2022.9833858

DO - 10.1109/SPW54247.2022.9833858

M3 - Conference contribution

SN - 9781665496445

T3 - IEEE Security and Privacy Workshops

SP - 31

EP - 43

BT - 43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022

A2 - O'Conner, Lisa

PB - IEEE

CY - Piscataway, NJ

T2 - Third Workshop of Designing Security for the Web

Y2 - 26 May 2022 through 26 May 2022

ER -

Sahin M, Ünlü T, Hebert C, Shepherd LA , Coull N , McLean C. Measuring developers’ web security awareness from attack and defense perspectives. In O'Conner L, editor, 43rd IEEE Symposium on Security and Privacy Workshops, SPW 2022: proceedings. Piscataway, NJ: IEEE . 2022. p. 31-43. 9833858. (IEEE Security and Privacy Workshops). Epub 2022 Jul 25. doi: 10.1109/SPW54247.2022.9833858

Measuring developers’ web security awareness from attack and defense perspectives

Abstract

Publication series

Workshop

Keywords

UN SDGs

Access to Document

Fingerprint

Cite this