Model-based analysis of Java EE web security misconfigurations. (September 2017)
- Record Type:
- Journal Article
- Title:
- Model-based analysis of Java EE web security misconfigurations. (September 2017)
- Main Title:
- Model-based analysis of Java EE web security misconfigurations
- Authors:
- Martínez, Salvador
Cosentino, Valerio
Cabot, Jordi - Abstract:
- Abstract: The Java EE framework, a popular technology of choice for the development of web applications, provides developers with the means to define access-control policies to protect application resources from unauthorized disclosures and manipulations. Unfortunately, the definition and manipulation of such security policies remains a complex and error prone task, requiring expert-level knowledge on the syntax and semantics of the Java EE access-control mechanisms. Thus, misconfigurations that may lead to unintentional security and/or availability problems can be easily introduced. In response to this problem, we present a (model-based) reverse engineering approach that automatically evaluates a set of security properties on reverse engineered Java EE security configurations, helping to detect the presence of anomalies. We evaluate the efficacy and pertinence of our approach by applying our prototype tool on a sample of real Java EE applications extracted from GitHub. Abstract : Highlights: We provide a framework to analyze Java EE access-control misconfigurations. We use model-driven engineering tools and techniques to our analysis. We evaluate the efficacy and pertinence of our approach on real applications. We provide a survey on the importance of security to Java EE developers.
- Is Part Of:
- Computer languages, systems & structures. Volume 49(2017)
- Journal:
- Computer languages, systems & structures
- Issue:
- Volume 49(2017)
- Issue Display:
- Volume 49, Issue 2017 (2017)
- Year:
- 2017
- Volume:
- 49
- Issue:
- 2017
- Issue Sort Value:
- 2017-0049-2017-0000
- Page Start:
- 36
- Page End:
- 61
- Publication Date:
- 2017-09
- Subjects:
- Model-driven engineering -- Security -- Reverse-engineering
Programming languages (Electronic computers) -- Periodicals
Computer networks -- Periodicals
Computer architecture -- Periodicals
Computer systems -- Periodicals
Langage de programmation
Réseau d'ordinateurs
Architecture d'ordinateur
Périodique électronique (Descripteur de forme)
Ressource Internet (Descripteur de forme)
005.13 - Journal URLs:
- http://www.sciencedirect.com/science/journal/14778424/40 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cl.2017.02.001 ↗
- Languages:
- English
- ISSNs:
- 1477-8424
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.071000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 7908.xml