Full Program »
Many of today’s application security vulnerabilities are introduced by software developers writing insecure code. This may be due to either a lack of understanding of secure programming practices, and/or developers’ lapses of attention on security. Much work on software security has focused on detecting software vulnerabilities through automated analysis techniques. While they are effective, we believe they are not sufficient. We propose to increase developer awareness and promote practice of secure programming by interactively reminding programmers of secure programming practices inside Integrated Development Environments (IDEs). We have implemented a proof-of-concept plugin for Eclipse and Java. Initial evaluation results show that this approach can detect and address common web application vulnerabilities and can serve as an effective aid for programmers. Our approach can also effectively complement existing software security best practices and significantly increase developer productivity.
Author(s):
Jing Xie
University of North Carolina at Charlotte
United States
Bill Chu
University of North Carolina at Charlotte
United States
Heather Richter Lipford
University of North Carolina at Charlotte
United States
John T. Melton
University of North Carolina at Charlotte
United States