The Effect of Development Tools on Security
In a comment about my previous post, Andre Gironda recommended another paper, this time from researchers in the Computer Science Division at UC Berkeley.
Matthew Finifter and David Wagner's paper Exploring the Relationship Between Web Application Development Tools and Security describes an analysis of vulnerabilities in nine implementations of the same web application, developed by professional programmers.
The authors are at pains to highlight possible and actual uncertainties in their analysis which is quite limited in scope, but they have derived a very useful methodology for comparing applications developed in different languages and frameworks. Their findings with greatest confidence were:
- There is no relationship between choice of programming language and application security.
- automatic (built-in) framework protection measures are effective at precluding vulnerabilities, whilst manual (optional) ones provide little value.
- Manual source code review is more effective at finding vulnerabilities than automated dynamic (penetration) testing.
But do read the paper in full, and consider how the results might be used to improve your own secure software development lifecycles.
Although the authors discuss related work in this area, I would like to see more comparable data, but suspect that obtaining unbiased test applications may be difficult.
Posted on: 22 November 2011 at 21:02 hrs
Comments are filtered automatically and should appear shortly after they been checked.