Structuring a Comprehensive Software Security Course Around the OWASP Application Security Verification Standard

Elder, Sarah; Zahan, Nusrat; Kozarev, Valeri; Shu, Rui; Williams, Laurie

doi:10.1109/icse-seet52601.2021.00019

Cited by 10 publications

(2 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Collecting data for this study required a team of four graduate students a combined eleven months of full-time work and twenty months of part-time work; four months part-time work from an undergraduate student; and the results of assignments from a large graduate-level software security course. Our experiences in structuring the software security course have been reported previously in Elder et al [26].…”

Section: Introductionmentioning

confidence: 76%

Do I really need all this work to find vulnerabilities? An empirical case study comparing vulnerability detection techniques on a Java application

Elder¹,

Zahan²,

Shu³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Context: Applying vulnerability detection techniques is one of many tasks using the limited resources of a software project. Objective: The goal of this research is to assist managers and other decisionmakers in making informed choices about the use of software vulnerability detection techniques through an empirical study of the efficiency and effectiveness of four techniques on a Java-based web application. Method: We apply four different categories of vulnerability detection techniques -systematic manual penetration testing (SMPT), exploratory manual penetration testing (EMPT), dynamic application security testing (DAST), and static application security testing (SAST) -to an open-source medical records system. Results:We found the most vulnerabilities using SAST. However, EMPT found more severe vulnerabilities. With each technique, we found unique vulnerabilities not found using the other techniques. The efficiency of manual techniques (EMPT, SMPT) was comparable to or better than the efficiency of automated techniques (DAST, SAST) in terms of Vulnerabilities per Hour (VpH). Conclusions: The vulnerability detection technique practitioners should select may vary based on the goals and available resources of the project. If the goal of an organization is to find "all" vulnerabilities in a project, they need to use as many techniques as their resources allow.

show abstract

Section: Introductionmentioning

confidence: 76%

Do I really need all this work to find vulnerabilities? An empirical case study comparing vulnerability detection techniques on a Java application

Elder¹,

Zahan²,

Shu³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…According to [98], some of the software security maturity models include Open Web Application Security Project (OWASP)'s Software Assurance Maturity Model (OpenSAMM), Building Security In Maturity Model (BSIMM) and BSIMM for vendors (vBSIMM). However, these security-specific maturity models and their checklists are not adequate in all contexts [99].…”

Section: Security Models and Frameworkmentioning

confidence: 99%

Software security models and frameworks: an overview and current trends

Korir¹

2023

World J. Adv. Eng. Technol. Sci.

View full text Add to dashboard Cite

The continued dependence on information technology applications has led to the adoption of electronic channels and software applications to support businesses, online transactions and communications. In this perspective, both functional and non-functional requirements are critical for the provision of necessary needs at the early phases of the software development process. This is specifically important in the requirement phase of the software development process. Software security is increasingly becoming a necessity concern in this environment. Unfortunately, security concepts such as access control requirements are mostly considered after the functional requirement definition stage. In addition, majority of the developers and organizations regard security as an activity that can be incorporated after the development of a system. This leads to flaws and security defects in the access control mechanism. Therefore, software security issues must be given higher priority in the early stages of the development process. The aim of this paper is to offer a survey of the software security techniques, frameworks and models that have been developed to deal with these issues. The results obtained indicate that software vulnerabilities have made it possible for attackers to exploit them to cause havoc in computerized systems and has become one of the most critical risks facing modern corporate networks. Since most of these vulnerabilities involve exploitable weaknesses introduced through badly written code, the cyber security community has tried to come up with techniques to enhance software products.

show abstract