Title :
Mapping software faults with web security vulnerabilities
Author :
Fonseca, José ; Vieira, Marco
Author_Institution :
CISUC, Coimbra Univ., Coimbra
Abstract :
Web applications are typically developed with hard time constraints and are often deployed with critical software bugs, making them vulnerable to attacks. The classification and knowledge of the typical software bugs that lead to security vulnerabilities is of utmost importance. This paper presents a field study analyzing 655 security patches of six widely used web applications. Results are compared against other field studies on general software faults (i.e., faults not specifically related to security), showing that only a small subset of software fault types is related to security. Furthermore, the detailed analysis of the code of the patches has shown that web application vulnerabilities result from software bugs affecting a restricted collection of statements. A detailed analysis of the conditions/locations where each fault was observed in our field study is presented allowing future definition of realistic fault models that cause security vulnerabilities in web applications, which is the key element to design a realistic attack injector.
Keywords :
Internet; security of data; software fault tolerance; Web application; Web security vulnerabilities; fault models; software bugs; software faults mapping; Application software; Banking; Computer bugs; Computer hacking; Data security; Information security; Information systems; Postal services; Road transportation; Time factors;
Conference_Titel :
Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008. IEEE International Conference on
Conference_Location :
Anchorage, AK
Print_ISBN :
978-1-4244-2397-2
Electronic_ISBN :
978-1-4244-2398-9
DOI :
10.1109/DSN.2008.4630094
