Title :
Specifying and enforcing application-level Web security policies
Author :
Scott, David ; Sharp, Richard
Author_Institution :
Lab. for Commun. Eng., Cambridge, UK
Abstract :
Application-level Web security refers to vulnerabilities inherent in the code of a Web-application itself (irrespective of the technologies in which it is implemented or the security of the Web-server/back-end database on which it is built). In the last few months, application-level vulnerabilities have been exploited with serious consequences: Hackers have tricked e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested, and confidential information (such as addresses and credit-card numbers) has been leaked. We investigate new tools and techniques which address the problem of application-level Web security. We 1) describe a scalable structuring mechanism facilitating the abstraction of security policies from large Web-applications developed in heterogeneous multiplatform environments; 2) present a set of tools which assist programmers in developing secure applications which are resilient to a wide range of common attacks; and 3) report results and experience arising from our implementation of these techniques.
Keywords :
Internet; Web sites; data privacy; electronic commerce; formal specification; security of data; software tools; Web sites; application-level Web security policies; application-level vulnerabilities; code vulnerabilities; component-based design; confidential information; e-commerce sites; hacking; heterogeneous multiplatform environments; passwords; scalable structuring mechanism; security policy description languages; software tools; Calendars; Computer hacking; Data security; Databases; HTML; Information security; Internet; Nails; Programming profession; Web page design;
Journal_Title :
Knowledge and Data Engineering, IEEE Transactions on
DOI :
10.1109/TKDE.2003.1208998
