Furthermore, we compare the results of these two first studies: the XSS mitigations in template engines and the CSRF mitigations in server-side frameworks. Based on our findings, we provide recommendations for developers and framework maintainers on how to create better frameworks that produce secure applications. We also update our initially proposed categorization of security controls implementation to include an additional level.
However, the updates to the frameworks take a long time. For example, during our work on the third study, only two of the proposed six mitigations were implemented in the Electron framework by its maintainers. Therefore, we develop an IDE plugin for Electron applications called Electrolint, that not only identifies the security issues at development time, but also suggests contextual mitigation to the developer at the appropriate line of code. In this way it removes friction for developers to add the needed security controls to their applications early in the software development life cycle. We verify that Electrolint provides security advice for every defect identified in the open source applications examined in our third study. Lastly, we demonstrate in several applications that the fix provided by Electrolint addresses the security defect and makes these applications protected against the previously successful exploits for the identified vulnerabilities.
|Commitee:||Choi, Hyeong-Ah, Youssef, Abdou, Zhang, Nan|
|School:||The George Washington University|
|School Location:||United States -- District of Columbia|
|Source:||DAI-B 82/8(E), Dissertation Abstracts International|
|Subjects:||Computer science, Information Technology|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be