security vulnerabilities: should you worry about...
TRANSCRIPT
Security vulnerabilities: should you worry about them?
Luciano Sampaio - [email protected] Garcia – [email protected]
OPUS Research Group
Luciano Sampaio
Agenda1. Background; 2.Motivation; 3.Research Questions; 4.Hypotheses; 5.Empirical Method and Evaluation; 6.Results; 7.Limitations; 8.Conclusions; 9.Questions?
���2
Luciano Sampaio
BackgroundWhat is a good software?
Easy to use (Usability); Fast (Efficiency); Easy to update (Maintainability);
!
Issues of usability, efficiency and others are easy to spot. !
What about Security?���3
Luciano Sampaio
MotivationEverything is going online; !
Applications are going global; Reputation is really important;
!
The later you find a problem, the more expensive it will be to fix it.
���4
Luciano Sampaio
Research QuestionsRQ1 - Who should check for security vulnerabilities? !
RQ2 - What is the importance given by developers to security vulnerabilities? !
RQ3 - Does the programming language influence the concern for security vulnerabilities?
���5
Luciano Sampaio
HypothesesH1 - Developers should be the ones to check for security vulnerabilities; !
H2 - Developers don’t care about security vulnerabilities; !
H3 - Developers don’t know about security vulnerabilities; !
H4 - Java developers care more about security than PHP developers;
���6
Luciano Sampaio
Empirical Method and Evaluation
Exploratory Study; Experiment;
We asked the participants to review a source code and report any security vulnerabilities; Requirement: Knowledge of Java + HTML; 07 participated on the experiment;
Average of 25 minutes; 2 performed ok, 5 didn’t…
!Questionnaire;
12 questions on Google Forms; 45 answered the questionnaire;
���7
Luciano Sampaio
Experiment - Source Code
���8
Exploratory Study >>
Denial of Service
XSS (Cross-Site Scripting)
SQL Injection
Cookie Poisoning
Informations LeakageSecurity Misconfiguration
Luciano Sampaio
Experiment - Sign in
���9
Exploratory Study >>
Luciano Sampaio
Experiment - Comment
���10
Exploratory Study >>
Luciano Sampaio
Questionnaire
���11
Exploratory Study >>
Luciano Sampaio
Who should worry?
���12
Results >>
RQ1 - H1
Luciano Sampaio ���13
Is it important?Results >>
RQ2 - H2
Luciano Sampaio
How often?
���14
Results >>
RQ2 - H2
Luciano Sampaio
Have you heard?
���15
Results >>
RQ2 - H3
Luciano Sampaio
What programming languages?
���16
Results >>
RQ3 - H4
Luciano Sampaio
What do you do?
���17
Results >>
RQ3 - H4
Luciano Sampaio
% per PL
���18
Results >>
RQ3 - H4
Luciano Sampaio
Should students learn it?
���19
Results >>
Luciano Sampaio
On what point in time?
���20
Results >>
Luciano Sampaio
Have you?
���21
Results >>
Luciano Sampaio
What they said…The order of prioritization:
To protect my database; The easiest first; Easier to exploit; !
What is necessary to remove them: Prepared Statements; Frameworks and libraries, e.g Hibernate, ASP.NET 4.5; Remove “,” and “\” and etc from input;
���22
Results >>
Luciano Sampaio
LimitationsNumber of participants; !
Late understanding of more in-depth problems; !
Almost everybody chooses one of the options, just a few choose “Other:”;
���23
Luciano Sampaio
ConclusionsDevelopers without training CANNOT find and fix security vulnerabilities; !
Developer don’t need to be security experts; Are you a Tester and Database expert?
!
It is necessary to raise the bar of security; !
Too many people doing nothing…���24
Luciano Sampaio
Questions?
���25
Thank you!Luciano Sampaio - [email protected] Garcia – [email protected]
OPUS Research Group