Desenvolvimento Seguro de Sistemas Web: Uma Revisão Sistemática
Resumo
O objetivo deste trabalho é apresentar uma revisão sistemática sobre o desenvolvimento de aplicações Web a partir das principais vulnerabilidades de segurança encontradas na lista OWASP TOP10. Esta revisão sistemática visa identificar pesquisas, ferramentas e metodologias que proporcionam formas seguras de desenvolver sistemas Web. Inicialmente foram encontrados 165 trabalhos, sendo desses 89 selecionados como relevantes. Resultados apresentam os trabalhos que tratam das principais vulnerabilidades descritas na OWASP TOP 10, e as principais ferramentas e métodos para projeto e desenvolvimento de um software seguro.
Palavras-chave:
OWASP TOP 10, Desenvolvimento de Aplicações Web, Segurança da Informação
Referências
AlBreiki, H. H. and Mahmoud, Q. H. (2014). Evaluation of static analysis tools for software security. In 2014 10th International Conference on Innovations in Information Technology (IIT), pages 93–98.
Aziz, N., Shamsuddin, S., and Hassan, N. (2016). Inculcating secure coding for beginners. pages 164–168.
Bertoglio, D. and Zorzo, A. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23.
Cai, J., Zou, P., Ma, J., and He, J. (2016). Sworddta: A dynamic taint analysis tool for software vulnerability detection. Wuhan University Journal of Natural Sciences, 21:10–20.
Dashevskyi, S., dos Santos, D. R., Massacci, F., and Sabetta, A. (2019). Testrex: a framework for repeatable exploits. International Journal on Software Tools for Technology Transfer, 21(1):105–119.
de Jimenez, R. E. L. (2016). Pentesting on web applications using ethical - hacking. In 2016 IEEE 36th Central American and Panama Convention (CONCAPAN XXXVI), pages 1–6.
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., and Joosen, W. (2011). A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16(1):3–32.
Dong, Y., Zhang, Y., Ma, H., Wu, Q., Liu, Q., Wang, K., and Wang, W. (2018). An adaptive system for detecting malicious queries in web attacks. Science China Information Sciences, 61.
Erdogan, G., Li, Y., Runde, R., Seehusen, F., and Stølen, K. (2014). Approaches for the combined use of risk analysis and testing: A systematic literature review. International Journal on Software Tools for Technology Transfer, 16.
Felderer, M. and Katt, B. (2015). A process for mastering security evolution in the development lifecycle. International Journal on Software Tools for Technology Transfer, 17.
Gauthier, F. and Merlo, E. (2012). Fast detection of access control vulnerabilities in php applications. In 2012 19th Working Conference on Reverse Engineering, pages 247–256.
Gupta, S. and Gupta, B. B. (2017). Cross-site scripting (xss) attacks and defense mechanisms: classification and state-of-the-art. International Journal of System Assurance Engineering and Management, 8(1):512–530.
Gupta, S. and Gupta, B. B. (2018). Evaluation and monitoring of xss defensive solutions: a survey, open research issues and future directions. Journal of Ambient Intelligence and Humanized Computing.
Hayrapetian, A. and Raje, R. (2018). Empirically analyzing and evaluating security features in software requirements. pages 1–11.
Johari, R. and Sharma, P. (2012). A survey on web application vulnerabilities (sqlia, xss) exploitation and security engine for sql injection. Proceedings - International Conference on Communication Systems and Network Technologies, CSNT 2012.
Johns, M. (2008). On javascript malware and related threats. Journal in Computer Virology, 4:161–178.
Kaur, N. and Kaur, P. (2014). Mitigation of sql injection attacks using threat modeling. SIGSOFT Softw. Eng. Notes, 39(6):1–6.
Kim, D. and Solomon, M. G. (2018). Fundamentals of Information Systems Security. Jones & Bartlett Learning.
Kissel, R., Stine, K. M., Scholl, M. A., Rossman, H., Fahlsing, J., and Gulick, J. (2008). Sp 800-64 rev. 2. security considerations in the system development life cycle. Technical report, Gaithersburg, MD, USA.
Kitchenham, B. (2004). Procedures for performing systematic reviews. Keele, UK, Keele Univ., 33.
Mart ́ınez, R., Betarte, G., and Pardo, A. (2018). Web application attacks detection using machine learning techniques.
Masood, A. and Java, J. (2015). Static analysis for web service security - tools & techniques for a secure development life cycle. pages 1–6.
Microsoft, C. (2012). Security Development Lifecycle, 5.2 edition.
MITRE (2019). Cve, common vulnerabilities and exposures. Available from MITRE.
Nagpal, B., Chauhan, N., and Singh, N. (2017). Secsix: security engine for csrf, sql injection and xss attacks. International Journal of System Assurance Engineering and Management, 8(2):631–644.
Nagpure, S. and Kurkure, S. (2017). Vulnerability assessment and penetration testing of web application. In 2017 International Conference on Computing, Communication, Control and Automation (ICCUBEA), pages 1–6.
Nunes, P., Medeiros, I., Fonseca, J., Neves, N., Correia, M., and Vieira, M. (2018). An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios. Computing.
OWASP, T. O. W. A. S. P. (2017a). Owasp top 10 - 2017. Publication, OWASP Foundation.
OWASP, T. O. W. A. S. P. (2017b). Secure software development lifecycle project(s-sdlc). Publication, OWASP Foundation.
Radwan, H. and Prole, K. (2015). Code pulse: Real-time code coverage for penetration testing activities. In 2015 IEEE International Symposium on Technologies for Homeland Security (HST), pages 1–6.
Rafique, S., Humayun, M., Hamid, B., Abbas, A., Akhtar, M., and Iqbal, K. (2015). Web application security vulnerabilities detection approaches: A systematic mapping study. pages 1–6.
Sahu, D. R. and Tomar, D. S. (2017). Analysis of web application code vulnerabilities using secure coding standards. Arabian Journal for Science and Engineering, 42(2):885–895.
Salva, S. and Regainia, L. (2019). An approach for guiding developers in the choice of security solutions and in the generation of concrete test cases. Software Quality Journal, 27:675–.
Salva, S. and Zafimiharisoa, S. R. (2015). Apset, an android application security testing tool for detec ting intent-based vulnerabilities. International Journal on Software Tools for Technology Transfer, 17(2):201–221.
Sammy Migues, John Steven and Mike Ware (2019). BSIMM10 SSDL, 10 edition.
Scandariato, R., Wuyts, K., and Joosen, W. (2013). A descriptive study of microsoft’s threat modeling technique. Requirements Engineering, 20.
Shah, S. and Mehtre, B. M. (2015). An overview of vulnerability assessment and penetration testing techniques. Journal of Computer Virology and Hacking Techniques, 11(1):27–49.
Sharma, P., Johari, R., and Sarma, S. S. (2012). Integrated approach to prevent sql injection attack and reflected cross site scripting attack. International Journal of System Assurance Engineering and Management, 3(4):343–351.
Singh, H. and Dua, M. (2018). Website attacks: Challenges and preventive methodologies. In 2018 International Conference on Inventive Research in Computing Applications (ICIRCA), pages 381–387.
Skouby, K., Tadayoni, R., and Tweneboah-Koduah, S. (2017). Cyber security threats to iot applications and service domains. Wireless Personal Communications.
Trunde, H. and Weippl, E. (2015). Wordpress security: An analysis based on publicly available exploits. In Proceedings of the 17th International Conference on Information Integration and Web-Based Applications & Services, New York, NY, USA. ACM.
Uto, N. (2013). Teste de Invasão de Aplicações Web. Escola Superior de Redes.
Vibhandik, R. and Bose, A. K. (2015). Vulnerability assessment of web applications - a testing approach. In 2015 Forth International Conference on e-Technologies and Networks for Development (ICeND), pages 1–6.
Visoottiviseth, V., Akarasiriwong, P., Chaiyasart, S., and Chotivatunyu, S. (2017). Pentos: Penetration testing tool for internet of thing devices. In TENCON 2017 - 2017 IEEE Region 10 Conference, pages 2279–2284.
Zenah, N. H. Z. and Aziz, N. A. (2011). Secure coding in software development. In 2011 Malaysian Conference in Software Engineering, pages 458–464.
Zlomislic, V., Fertalj, K., and Sruk, V. (2017). Denial of service attacks, defences and research challenges. Cluster Computing, 20(1):661–671.
Aziz, N., Shamsuddin, S., and Hassan, N. (2016). Inculcating secure coding for beginners. pages 164–168.
Bertoglio, D. and Zorzo, A. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23.
Cai, J., Zou, P., Ma, J., and He, J. (2016). Sworddta: A dynamic taint analysis tool for software vulnerability detection. Wuhan University Journal of Natural Sciences, 21:10–20.
Dashevskyi, S., dos Santos, D. R., Massacci, F., and Sabetta, A. (2019). Testrex: a framework for repeatable exploits. International Journal on Software Tools for Technology Transfer, 21(1):105–119.
de Jimenez, R. E. L. (2016). Pentesting on web applications using ethical - hacking. In 2016 IEEE 36th Central American and Panama Convention (CONCAPAN XXXVI), pages 1–6.
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., and Joosen, W. (2011). A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16(1):3–32.
Dong, Y., Zhang, Y., Ma, H., Wu, Q., Liu, Q., Wang, K., and Wang, W. (2018). An adaptive system for detecting malicious queries in web attacks. Science China Information Sciences, 61.
Erdogan, G., Li, Y., Runde, R., Seehusen, F., and Stølen, K. (2014). Approaches for the combined use of risk analysis and testing: A systematic literature review. International Journal on Software Tools for Technology Transfer, 16.
Felderer, M. and Katt, B. (2015). A process for mastering security evolution in the development lifecycle. International Journal on Software Tools for Technology Transfer, 17.
Gauthier, F. and Merlo, E. (2012). Fast detection of access control vulnerabilities in php applications. In 2012 19th Working Conference on Reverse Engineering, pages 247–256.
Gupta, S. and Gupta, B. B. (2017). Cross-site scripting (xss) attacks and defense mechanisms: classification and state-of-the-art. International Journal of System Assurance Engineering and Management, 8(1):512–530.
Gupta, S. and Gupta, B. B. (2018). Evaluation and monitoring of xss defensive solutions: a survey, open research issues and future directions. Journal of Ambient Intelligence and Humanized Computing.
Hayrapetian, A. and Raje, R. (2018). Empirically analyzing and evaluating security features in software requirements. pages 1–11.
Johari, R. and Sharma, P. (2012). A survey on web application vulnerabilities (sqlia, xss) exploitation and security engine for sql injection. Proceedings - International Conference on Communication Systems and Network Technologies, CSNT 2012.
Johns, M. (2008). On javascript malware and related threats. Journal in Computer Virology, 4:161–178.
Kaur, N. and Kaur, P. (2014). Mitigation of sql injection attacks using threat modeling. SIGSOFT Softw. Eng. Notes, 39(6):1–6.
Kim, D. and Solomon, M. G. (2018). Fundamentals of Information Systems Security. Jones & Bartlett Learning.
Kissel, R., Stine, K. M., Scholl, M. A., Rossman, H., Fahlsing, J., and Gulick, J. (2008). Sp 800-64 rev. 2. security considerations in the system development life cycle. Technical report, Gaithersburg, MD, USA.
Kitchenham, B. (2004). Procedures for performing systematic reviews. Keele, UK, Keele Univ., 33.
Mart ́ınez, R., Betarte, G., and Pardo, A. (2018). Web application attacks detection using machine learning techniques.
Masood, A. and Java, J. (2015). Static analysis for web service security - tools & techniques for a secure development life cycle. pages 1–6.
Microsoft, C. (2012). Security Development Lifecycle, 5.2 edition.
MITRE (2019). Cve, common vulnerabilities and exposures. Available from MITRE.
Nagpal, B., Chauhan, N., and Singh, N. (2017). Secsix: security engine for csrf, sql injection and xss attacks. International Journal of System Assurance Engineering and Management, 8(2):631–644.
Nagpure, S. and Kurkure, S. (2017). Vulnerability assessment and penetration testing of web application. In 2017 International Conference on Computing, Communication, Control and Automation (ICCUBEA), pages 1–6.
Nunes, P., Medeiros, I., Fonseca, J., Neves, N., Correia, M., and Vieira, M. (2018). An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios. Computing.
OWASP, T. O. W. A. S. P. (2017a). Owasp top 10 - 2017. Publication, OWASP Foundation.
OWASP, T. O. W. A. S. P. (2017b). Secure software development lifecycle project(s-sdlc). Publication, OWASP Foundation.
Radwan, H. and Prole, K. (2015). Code pulse: Real-time code coverage for penetration testing activities. In 2015 IEEE International Symposium on Technologies for Homeland Security (HST), pages 1–6.
Rafique, S., Humayun, M., Hamid, B., Abbas, A., Akhtar, M., and Iqbal, K. (2015). Web application security vulnerabilities detection approaches: A systematic mapping study. pages 1–6.
Sahu, D. R. and Tomar, D. S. (2017). Analysis of web application code vulnerabilities using secure coding standards. Arabian Journal for Science and Engineering, 42(2):885–895.
Salva, S. and Regainia, L. (2019). An approach for guiding developers in the choice of security solutions and in the generation of concrete test cases. Software Quality Journal, 27:675–.
Salva, S. and Zafimiharisoa, S. R. (2015). Apset, an android application security testing tool for detec ting intent-based vulnerabilities. International Journal on Software Tools for Technology Transfer, 17(2):201–221.
Sammy Migues, John Steven and Mike Ware (2019). BSIMM10 SSDL, 10 edition.
Scandariato, R., Wuyts, K., and Joosen, W. (2013). A descriptive study of microsoft’s threat modeling technique. Requirements Engineering, 20.
Shah, S. and Mehtre, B. M. (2015). An overview of vulnerability assessment and penetration testing techniques. Journal of Computer Virology and Hacking Techniques, 11(1):27–49.
Sharma, P., Johari, R., and Sarma, S. S. (2012). Integrated approach to prevent sql injection attack and reflected cross site scripting attack. International Journal of System Assurance Engineering and Management, 3(4):343–351.
Singh, H. and Dua, M. (2018). Website attacks: Challenges and preventive methodologies. In 2018 International Conference on Inventive Research in Computing Applications (ICIRCA), pages 381–387.
Skouby, K., Tadayoni, R., and Tweneboah-Koduah, S. (2017). Cyber security threats to iot applications and service domains. Wireless Personal Communications.
Trunde, H. and Weippl, E. (2015). Wordpress security: An analysis based on publicly available exploits. In Proceedings of the 17th International Conference on Information Integration and Web-Based Applications & Services, New York, NY, USA. ACM.
Uto, N. (2013). Teste de Invasão de Aplicações Web. Escola Superior de Redes.
Vibhandik, R. and Bose, A. K. (2015). Vulnerability assessment of web applications - a testing approach. In 2015 Forth International Conference on e-Technologies and Networks for Development (ICeND), pages 1–6.
Visoottiviseth, V., Akarasiriwong, P., Chaiyasart, S., and Chotivatunyu, S. (2017). Pentos: Penetration testing tool for internet of thing devices. In TENCON 2017 - 2017 IEEE Region 10 Conference, pages 2279–2284.
Zenah, N. H. Z. and Aziz, N. A. (2011). Secure coding in software development. In 2011 Malaysian Conference in Software Engineering, pages 458–464.
Zlomislic, V., Fertalj, K., and Sruk, V. (2017). Denial of service attacks, defences and research challenges. Cluster Computing, 20(1):661–671.
Publicado
01/12/2021
Como Citar
MALACARNE, Gustavo R.; CAMARGO, Edson T..
Desenvolvimento Seguro de Sistemas Web: Uma Revisão Sistemática. In: ESCOLA REGIONAL DE ENGENHARIA DE SOFTWARE (ERES), 5. , 2021, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 40-49.
DOI: https://doi.org/10.5753/eres.2021.18449.
