SASMEDU: Security Assessment Method of Software in Engineering Education

Full Text (PDF, 1364KB), PP.1-12

Views: 0 Downloads: 0

Author(s)

Guncel SARIMAN 1,* Ecir Ugur KUCUKSILLE 2

1. Computer Technologies Department of Muğla Vocational School, Muğla Sıtkı Koçman University, 48000, Mugla, Turkey

2. Computer Engineering of Süleyman Demirel Universoty, Isparta, Turkey

* Corresponding author.

DOI: https://doi.org/10.5815/ijitcs.2018.07.01

Received: 19 Feb. 2018 / Revised: 11 Apr. 2018 / Accepted: 6 Jun. 2018 / Published: 8 Jul. 2018

Index Terms

Programming and programming languages, improving classroom teaching, interactive learning environments, software security assessment

Abstract

Security and usability of web and mobile applications where users share their personal information have become to be a factor about which users should be careful. Rapid increase of developers, programming at early ages, desire for earning money by working freelance have caused widespread  use of web and mobile applications and an increase of codes which contain vulnerabilities. Safe and good software development is also based on software lessons given to the students in high school or college years. This paper presents a developed testing and evaluation software in order to find out the leakages in the web applications which was developed by using asp.net, php and java languages. It is aimed that the developed analysis tool was designed to be used by engineering students as a training tool, in security courses by trainees and by programmers for testing. Within the scope of the study, security tests of web projects were carried out with static code analysis method in input control, metric analysis and style control phases. For testing the developed software tool, student web projects were used which were downloaded from "www.freestudentprojects.com" website. 10 test projects were tested in the stages of input control, metric analysis and style control. According to the results of the analysis, the errors were concentrated on Structural Query Language Injection and Cross Site Scripting attacks, which were developed by the students due to the lack of security audit in the projects.

Cite This Paper

Güncel SARIMAN, Ecir Uğur KÜÇÜKSİLLE, "SASMEDU: Security Assessment Method of Software in Engineering Education", International Journal of Information Technology and Computer Science(IJITCS), Vol.10, No.7, pp.1-12, 2018. DOI:10.5815/ijitcs.2018.07.01

Reference

[1]G. Eason, B. Noble, and I. N. Sneddon, “On certain integrals of Lipschitz-Hankel type involving products of Bessel functions,” Phil. Trans. Roy. Soc. London, vol. A247, pp. 529–551, April 1955.

[2]Ç. Çebi, Bilgi Güvenliği, http://www.cagataycebi.com /security/bilgi_guvenligi.pdf, Accessed June 2017.

[3]F. Karayumak, Yazılım Güvenliği Programı. http://www.bilgiguvenligi.gov.tr/yazilim-guvenligi/yazilim-guvenligi-programi.html, Accessed February 2013.

[4]C.C. Michael, Risk-Based and Functional Security Testing.https://buildsecurityin.us-cert.gov/articles/best-practices/security-testing/risk-base-and-functional-security-testing, Accessed September 2016.

[5]Ulakbim, Web Güvenliği Çalışma Grubu. http://csirt.ulakbim.gov.tr/gruplar/zayiflik.uhtml, Accessed July 2017.

[6]J.G. Myers, The Art of Software Testing, John Wiley & Sons, Inc., 2004.

[7]B. Livshits, Improving Software Security with Precise Static and Runtime Analysis, Ph.D. Dissertation. Stanford University, Stanford, CA, USA. 2006.

[8]N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting web application vulnerabilities, Security and Privacy, IEEE Symposium, 2006, pp 263-269.

[9]Y. Huming, N. Jones, G. Bullock, Y. Y. Yuan, Teaching Secure Software Engineering: Writing Secure Code. Software Engineering Conference in Russia (CEE-SECR), 7th Central and Eastern European, 2011, pp 1-5.

[10]M. Şahinoğlu, M. Sari, A. Kurt, S. Kurnaz, M. Özbek, Problems and Solution Suggestions in Software Testing, 7th National Software Engineering Symposium, 2013.

[11]J. Zheng, L. Williams, N. Nagappan, W. Snipes, J. P.  Hudepohl, M. A. Vouk, On the Value of Static Analysis for Fault Detection in Software, IEEE Transactions on Software Engineering, 32(4), 2006, 240-253.

[12]B. Chess, J. West, Secure Programming with Static Analysis, Pearson Education, 2007.

[13]V. Satyanarayana, M. V. B. C. Sekhar, Static Analysıs Tool for Detecting Web Application Vulnerabilities. International Journal of Modern Engineering Research (IJMER) 1 2011, 127-133.

[14]J. Dahse, RIPS-A static source code analyser for vulnerabilities in PHP scripts. Horst Görtz Institute Ruhr-University, 2010, 19p.

[15]R. Dewhurst, Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities. University of Northumbria, Project Report 2012, pp 86.

[16]Internet Users in the World, http://www.internetlivestats.com, Accessed January 2016.

[17]Welcome to the Undergraduate Computer Engineering Program, http://www.engineering.pitt.edu/ Departments/ElectricalComputer/_Content /Undergraduate/Computer-Engineering/COE-Undergraduate. Accessed May 2018.

[18]Graduate Curriculum, https://ceng.metu.edu.tr/ graduate-curriculum. Accessed February 2017.

[19]J. Cowart, Elementary school students develop coding skills. http://cranstononline.com/ stories/elementary-school-students-develop-coding-skills. Accessed August 2017.

[20]H. Alhejaili, Usefulness of Teaching Security Awareness for Middle School Students. Rochester Institute of Technology. Master of Sciences. New York, 2013.

[21]Olugbenga W. Adejo, I. Ewuzie, A. Usoro, T. Connolly, "E-Learning to m-Learning: Framework for Data Protection and Security in Cloud Infrastructure", International Journal of Information Technology and Computer Science (IJITCS), Vol.10, No.4, pp.1-9, 2018. DOI: 10.5815/ijitcs.2018.04.01.

[22]Sobia Usman, Humera Niaz, "Building Secure Web-Applications Using Threat Model", International Journal of Information Technology and Computer Science (IJITCS), Vol.10, No.3, pp.52-62, 2018. DOI: 10.5815/ijitcs.2018.03.

[23]Acunetix, Web Application Vulnerability Report 2016. http://www.dotforce.it/wpcontent/uploads/2016/09/acunetix-web-application-vulnerability-report-2016.pdf. Available June 2017.