Specifying and enforcing application-level web security policies
- 9 July 2003
- journal article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Transactions on Knowledge and Data Engineering
- Vol. 15 (4) , 771-783
- https://doi.org/10.1109/tkde.2003.1208998
Abstract
Application-level Web security refers to vulnerabilities inherent in the code of a Web-application itself (irrespective of the technologies in which it is implemented or the security of the Web-server/back-end database on which it is built). In the last few months, application-level vulnerabilities have been exploited with serious consequences: Hackers have tricked e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested, and confidential information (such as addresses and credit-card numbers) has been leaked. We investigate new tools and techniques which address the problem of application-level Web security. We 1) describe a scalable structuring mechanism facilitating the abstraction of security policies from large Web-applications developed in heterogeneous multiplatform environments; 2) present a set of tools which assist programmers in developing secure applications which are resilient to a wide range of common attacks; and 3) report results and experience arising from our implementation of these techniques.Keywords
This publication has 6 references indexed in Scilit:
- A theory of type polymorphism in programmingPublished by Elsevier ,2003
- A taxonomy of replay attacks [cryptographic protocols]Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Abstracting application-level web securityPublished by Association for Computing Machinery (ACM) ,2002
- Fine grained access control for SOAP E-servicesPublished by Association for Computing Machinery (ACM) ,2001
- PowerForms: Declarative client-side form field validationWorld Wide Web, 2000
- The Definition of Standard MLPublished by MIT Press ,1997