ArticlePDF Available
ISBN 978-989-97433-8-0 E-book edition 2017 by SciKa
Book of abstracts of the
CENTERIS 2017 Conference on Enterprise Information Systems /
ProjMAN 2017 International Conference on Project MANagement /
HCist 2017 International Conference on Health and Social Care Information Systems and Technologies
234
Function: The Foundation of Secure Web Development
Orven E. Llantos
Mindanao State University-Iligan Institute of Technology, Iligan City 9200, Philippines
Abstract
Web applications are so pervasive nowadays that anyone who has a web-enabled device can access any sites they
like. These sites ranges from social connections, national election data to health care companions. Thus, it is
imperative that for these websites to truly serve the purpose they intended, a layer of security against the malicious
individual must be implemented. Reports of website hacking are ringing bells around the global news whose
attackers are unknown.
Although open-source MVC frameworks implemented a security mechanism, there are issues in which if not
considered by the web site developer can lead to breach of security just like what happened to exposed websites.
The main problem with mainstream MVC frameworks is that, if not configured carefully, it is a single-point of
failure.
This paper proposes an alternative for developing a more secure application.
Keywords: MVC Framework; REST; Stored Procedure; Identity and access management.
1. Introduction
Web applications are so pervasive nowadays that anyone who has a web-enabled device can access
any sites they like. These sites ranges from social connections, national election data to health care
companions. Thus, it is imperative that for these websites to truly serve the purpose they intended, a
layer of security against the malicious individual must be implemented. After all, security and data
protection affect the stakeholder’s motivation to use the system[7]. Software security design involving
the stakeholders are discussed by Casola, V. (et. al.,)[10] using security service level agreements (SLA)
but is not covered in this paper.
Reports of website hacking[3] are ringing bells around the global news whose attackers are unknown.
In Philippines alone, many of the government sites are being hacked and recently it was the Commission
on Election (COMELEC) web site that has been greatly affected in which, as a consequence, sensitive
details of voters are exposed to the public. Dubbed the biggest Philippine government data breach[1],
ISBN 978-989-97433-8-0 E-book edition 2017 by SciKa
Book of abstracts of the
CENTERIS 2017 Conference on Enterprise Information Systems /
ProjMAN 2017 International Conference on Project MANagement /
HCist 2017 International Conference on Health and Social Care Information Systems and Technologies
235
because of the massive amount of stolen data at approximately 76.4 Gigabyte. It must be noted that
most of these websites were implemented using MVC frameworks.
2. The Framework Pitfall
Using MVC frameworks allows the developer super-user access to control the framework's inner
workings through a web interface. Identity and access management[6] are implemented at the
framework level sometimes using a single account. It is up to the controller script to send appropriate
commands to the model imposing access management for multi-role systems. Significant efforts have
been done to protect this level but if the developer or site administrator is maintaining a weak password
or if the site is susceptible to man-in-the-middle attack[5], then this level is vulnerable.
MVC frameworks maintains a mechanism to define the database schema at its level using an Object
Relational-Mapping(ORM). ORM allow easy deployment to different supported databases. ORM like
SQLAlchemy mitigate SQL-injection attack by forcing the developer learn the syntax and semantics to
do the equivalent SQL on their language. This seemingly nice feature is actually its drawback. First,
techniques like this requires a considerable learning curve for developers that are used to SQL
commands. Second, if a malicious hacker was able to gain control of the entire framework files, all they
have to do is run the script in their machine and the entire business logic and database schema are rebuilt.
This allows the malicious hacker to study the system thoroughly and possibly mimic the system and
lure unsuspecting users to think that it was the original web application only hosted on different site.
3. The Alternative Approach
It is the purpose of this paper to propose an alternative approach in web development with security
in mind. In general, this approach suggests to move the identity and access management from the
framework back to the database level and data access will be interfaced using a stored procedure with
access determined by the rights of the group where a user belong.
4. Web Application Development
The web application is developed using the Flask micro-framework implementing the REST[2]
resources for my.eskwela[4]. Stored procedures calls are done using the callproc function defined by
SQLAlchemy, so queries can benefit from the implemented security feature for handling query
parameters. And at the same time minimizing the learning curve of the developers by focusing on
enclosing the actual SQL in a stored procedure. The identity of the querying user is verified using salting
technique where values are checked for every transaction. For this project, the developers knew the
PostgreSQL database system and the implementation of stored procedure.
ISBN 978-989-97433-8-0 E-book edition 2017 by SciKa
Book of abstracts of the
CENTERIS 2017 Conference on Enterprise Information Systems /
ProjMAN 2017 International Conference on Project MANagement /
HCist 2017 International Conference on Health and Social Care Information Systems and Technologies
236
The resulting system was deployed to the cloud platform constrained with the allocated resources.
It uses the platform’s provided SSL certificate for encrypted communication[8]. Also, the entire
database schema, user group access control, and stored procedures are on a separate file so that it may
not be part of the production files[9].
5. Advantage/Disadvantage of the Approach
The above discussion illustrates the strength of the approach in enforcing security by moving identity
and access management to the database level and using functions (i.e., stored procedures) as its
foundation. And just like with any idea, there are also disadvantages that needed to be considered if one
wants to implement this approach.
Using stored procedures for data access instead of ORM provided constructs means that the
developer is compelled to make a hard choice for a database system that supports stored procedures
because they cannot just simply migrate to another database system without schema rewriting. Although
at present, it is not that hard to convert any database schema to other database systems because of
existing database converter applications for a considerable monetary amount.
6. Conclusion
A web application development approach has been proposed and have shown key areas with security
implementation through the use of functions at the very core database operations. Identity and access
control are implemented at the database level and information access is done using a stored procedure
called on top of SQLAlchemy. User’s identity is verified using salting mechanism.
As with any other decision making in choosing the right approach to software development, one has
to weight in factors important to the current application task at hand. But the thing that should lead one
to choose this approach is the establishment of security implementations to mitigate the application
from attacks[12].
Acknowledgements
For MSU-IIT, the Office of Chancellor and Vice Chancellor for Research and Extension and DOST-
PCIEERD HRDP, thank you for your support in this endeavor.
References
[1] Buenaventura, L., 2016. Conversations with the creator of we have your data, Online. http://bit.ly/2nK155A9.
ISBN 978-989-97433-8-0 E-book edition 2017 by SciKa
Book of abstracts of the
CENTERIS 2017 Conference on Enterprise Information Systems /
ProjMAN 2017 International Conference on Project MANagement /
HCist 2017 International Conference on Health and Social Care Information Systems and Technologies
237
[2] Fielding, R, 2000. Architectural Styles and the Design of Network-based Software Architectures, PhD Thesis, University of
California, Irvine.
[3] Kaur D., Kaur P., 2016. Empirical Analysis of Web Attacks, Procedia Computer Science 78, p. 298.
[4] Llantos, O., 2017. Cloudification of my.eskwela for e-governance in Philippine Education, Procedia Computer Science 109,
p. 680.
[5] Bicakci, K., Unal, D., Ascioglu, N., Adalier, O., 2014. Mobile Authentication Secure Against Man-In-The-Middle Attacks,
Procedia Computer Science 34, p. 323.
[6] Sharma, D., Dhote C.A., Potey M., 2016. Identity and Access Management as Security-as-a-Service from Clouds, Procedia
Computer Science 79, p. 170.
[7] Kouatli, I., 2016. Managing Cloud Computing Environment: Gaining Customer Trust with Security and Ethical
Management, Procedia Computer Science 91, p. 412.
[8] Bhardwaj, A., Subrahmanyam G., Avasthi V., Sastry H. 2016. Security Algorithms for Cloud Computing, Procedia
Computer Science 85, p. 535
[9] Hüttermann, M., 2012. DevOps for Developers (Expert’s Voice in Web Development), Apress.
[10] Casola, V., De Benedectis, A., Rak, M., Rios, E., 2016. Security-by-design in clouds: a Security-SLA driven methodology
to build secure cloud applications, Procedia Computer Science 97, p. 53
[11] Müller, A., Ludwig, A., Franczyk, B., 2017. Data security in Decentralized Cloud Systems system comparison,
requirements analysis and organizational levels, Journal of Cloud Computing: Advances, Systems and Applications 6:15,
p. 1
[12] Mouli, V., Jevitha, K., 2016. Web Services Attacks and Secuity-A Systematic Literature Review, Procedia Computer
Science 93, p. 870
... Trust was perceived by the respondents because security mechanisms were discussed during the training workshop [34]. Author name / Procedia Computer Science 00 (2018) 000- 000 7 Though my.eskwela is not yet fully adopted by any of the schools, the perceived usefulness and the desire to adopt the system motivated some members to campaign for the use the system in different venues like research symposium and trainer's training forum. ...
Article
Full-text available
A typical learning management system (LMS) provides a tool for teachers to upload and create links to resources, create online assessments and provide immediate evaluation to students. As much as it tries to be student centered, most LMS remains a tool for instruction rather than learning. In a learning generation that is bound by very high online social capital, connectedness to the family weakens. my.Eskwela (My School) redefines LMS to include a parent component to address the need for inclusive participation of parents in the teaching-learning process. Basis for redesign came from the low user acceptance of teachers in using similar system. The study premised that designing an environment that evokes a "feeling of socialness" through social widgets provides a perceived presence of a social environment that will increase usage of the system. In a majority of the focus group discussion, results showed a more positive evaluation of the system. Precisely, for perceived usefulness, perceived ease of use, perceived adoption and intent to use, it can be reasoned that the implementations for reducing the total effort to perform a task and the effect of implementing social interaction in the user-interface has high-impact. Abstract A typical learning management system (LMS) provides a tool for teachers to upload and create links to resources, create online assessments and provide immediate evaluation to students. As much as it tries to be student centered, most LMS remains a tool for instruction rather than learning. In a learning generation that is bound by very high online social capital, connectedness to the family weakens. my.Eskwela (My School) redefines LMS to include a parent component to address the need for inclusive participation of parents in the teaching-learning process. Basis for redesign came from the low user acceptance of teachers in using similar system. The study premised that designing an environment that evokes a "feeling of socialness" through social widgets provides a perceived presence of a social environment that will increase usage of the system. In a majority of the focus group discussion, results showed a more positive evaluation of the system. Precisely, for perceived usefulness, perceived ease of use, perceived adoption and intent to use, it can be reasoned that the implementations for reducing the total effort to perform a task and the effect of implementing social interaction in the user-interface has high-impact.
Article
Full-text available
On-premise implementation of information systems suffers from performance problems due to the inability to scale or allocate computing resources because of high user demands. Such a case was experienced by many teachers accessing the Philippines Department of Education (DepEd) Learners Information System(LIS) 1. The system just breaks 2 during submission of report in a scheduled time and forces the teachers to do extra work in waiting for systems availability just to re-submit the report. Such scenario is an impediment to the implementation of e-Government 3 as envisioned by the Philippine government. An alternative approach was explored and a student information system, named my.eskwela version 2.0, was deployed to a Philippine Public Elementary School with budgetary constraints. The original my.eskwela 4 system was housed on-premise through virtual system but was redeveloped to fit the needs of the Philippine K-12 curriculum and redeployed to the cloud for the purpose of enhancing the services of the beneficiary school. The process of deploying the on-premise application to the cloud is called cloudification. Cloudification of my.eskwela has greatly impacted the primary school community that hopes to improve its processes through e-governance. Deploying the application into the cloud allowed the possibility of focusing on the software features instead of worrying on finding the funds for the initial IT infrastructure into which the application will run. Cloudification further enabled e-governance to its full extent and it was able to overcome most of the implementation challenges for providing better service to the community.
Article
Full-text available
Cloud computing has been established as a technology for providing needs-orientated and use-dependent IT resources, which now are being used more frequently for business information systems. Particularly in terms of integration of decentralized information systems, cloud systems are providing a stable solution approach. Still, data security is one of the biggest challenges when using cloud systems and a main reason why many companies avoid using cloud services. The question we are facing is how cloud systems for integration of decentralized information systems have to be designed, in terms of technology and organization, so that privacy laws of the cloud user can be guaranteed. This contribution summarizes the results of a system comparison of decentralized cloud systems in social networks, a requirements analysis based on a literature analysis, and a model for organizational levels of cloud systems, derived from the requirements analysis.
Article
Full-text available
On-premise implementation of information systems suffers from performance problems due to the inability to scale or allocate computing resources because of high user demands. Such a case was experienced by many teachers accessing the Philippines Department of Education (DepEd) Learners Information System(LIS) 1. The system just breaks 2 during submission of report in a scheduled time and forces the teachers to do extra work in waiting for systems availability just to re-submit the report. Such scenario is an impediment to the implementation of e-Government 3 as envisioned by the Philippine government. An alternative approach was explored and a student information system, named my.eskwela version 2.0, was deployed to a Philippine Public Elementary School with budgetary constraints. The original my.eskwela 4 system was housed on-premise through virtual system but was redeveloped to fit the needs of the Philippine K-12 curriculum and redeployed to the cloud for the purpose of enhancing the services of the beneficiary school. The process of deploying the on-premise application to the cloud is called cloudification. Cloudification of my.eskwela has greatly impacted the primary school community that hopes to improve its processes through e-governance. Deploying the application into the cloud allowed the possibility of focusing on the software features instead of worrying on finding the funds for the initial IT infrastructure into which the application will run. Cloudification further enabled e-governance to its full extent and it was able to overcome most of the implementation challenges for providing better service to the community.
Article
Full-text available
This paper presents a security-by-design methodology for the development of cloud applications, which relies on Security SLAs as a means to express their security requirements. The process followed to build such Security SLAs entails the application of a risk analysis procedure aimed at identifying the main vulnerabilities affecting a cloud application and allows to determine the countermeasures to consider at design time in order to thwart the main existing threats.
Article
Full-text available
Web Services allow applications to communicate with each other independent of platform and/or language. They are prone to attacks in the form of Denial-Of-Service, XML, XPath, SQL injection and spoofing, making implementation of web service security vital. Though many solutions are proposed for minimizing attacks, there is no single solution for mitigating all the attacks on web services. The objective of this paper is to present a systematic review on the studies of web service security. It is identified that there is lot of research going on in web services, dealing mostly with attack detection as well as identification of vulnerabilities in the services. Denial-of-service attack is found to be the most addressed of all attacks. Solutions were mainly proposed using dynamic analysis, closely followed by static analysis.
Article
Full-text available
This paper aims to find out the management best practices of new hype of technology like Cloud computing. The management of such environment is highly dependent on the trust relationship between the cloud service providers and their customers (and/or other businesses). This trust is not only dependent on the latest technological tools, but rather also dependent on the management strategy in such highly critical environment. To achieve this objective, a survey was conducted related to the acceptability of the cloud services which has resulted in three main sections. These were: security, data protection and ethics in cloud computing environment. The sample size was 441 where it was resulted in highly significant relationship between ethics and security as well as ethics and data protection which are the main two motivations for any business to join the cloud. Based on this study, a guideline of managing cloud computing to maintain these three issues was described. Ten steps were proposed to protect cloud services from possible unethical behaviors as well as to protect systems from possible security breach.
Article
Full-text available
The web applications are becoming more popular and complex in today's era of Internet. These on-line applications provide rich benefits along with risk to organization, brand and data. Malicious attackers continue to exploit vulnerabilities in applications in order to steal sensitive information. The outlines of this paper is to analyze web attacks in recent years that have compromised web applications, its data or its users. This paper includes the web attacks analysis from Website Hacking Incident Database (WHID) and other information security and news websites. Also, it is an effort to analyze various attacks on major categories of web sites which is a guide to developers to take respective appropriate preventive measures in future. The top web attacks have been identified and also the top vulnerable categories of web applications are analyzed.
Article
Full-text available
In Security-as-a-service model the focus is on security delivered as cloud services; i.e. security provided through the cloud instead of on premise security solutions. Identity and Access Management (IAM) focuses on authentication, authorization, administration of Identities and audit. Its primary concern is verification of identity of entity and grating correct level of access for resources which are protected in the cloud environment. The IAM implemented as the cloud service can benefit the user with all the advantages offered by Security-as-a-service (SECaaS). We have implemented a proof-of-concept (POC) of IAM-aaS which is also evaluated. The relevant standards and technologies are also discussed for providing secure access to cloud users.
Article
Full-text available
With growing awareness and concerns regards to Cloud Computing and Information Security, there is growing awareness and usage of Security Algorithms into data systems and processes. This paper presents a brief overview and comparison of Cryptographic algorithms, with an emphasis on Symmetric algorithms which should be used for Cloud based applications and services that require data and link encryption. In this paper we review Symmetric and Asymmetric algorithms with emphasis on Symmetric Algorithms for security consideration on which one should be used for Cloud based applications and services that require data and link encryption
Article
Full-text available
Current mobile authentication solutions put a cognitive burden on users to detect and avoid Man-In-The-Middle attacks. In this paper, we present a mobile authentication protocol named Mobile-ID which prevents Man-In-The-Middle attacks without relying on a human in the loop. With Mobile-ID, the message signed by the secure element on the mobile device incorporates the context information of the connected service provider. Hence, upon receiving the signed message the Mobile-ID server could easily identify the existence of an on-going attack and notify the genuine service provider.
Book
DevOps for Developers delivers a practical, thorough introduction to approaches, processes and tools to foster collaboration between software development and operations. Efforts of Agile software development often end at the transition phase from development to operations. This book covers the delivery of software, this means the last mile, with lean practices for shipping the software to production and making it available to the end users, together with the integration of operations with earlier project phases (elaboration, construction, transition). DevOps for Developers describes how to streamline the software delivery process and improve the cycle time (that is the time from inception to delivery). It will enable you to deliver software faster, in better quality and more aligned with individual requirements and basic conditions. And above all, work that is aligned with the DevOps approach makes even more fun! Provides patterns and toolchains to integrate software development and operations Delivers an one-stop shop for kick-starting with DevOps Provides guidance how to streamline the software delivery process What youll learn Know what DevOps is and how it can result in better and faster delivered software Apply patterns to improve collaboration between development and operations Introduce unified processes and incentives to support shared goals Start with or extend a tool infrastructure that spans projects roles and phases Address pain points in your individual environment with appropriate recipes Break down existing walls that make up an unnecessarily sluggish delivery process Who this book is for DevOps for Developers is for motivated software engineers, particularly programmers, testers, QA, system admins, database admins, both beginners and experts, who want to improve their software delivery process. Its the perfect choice for engineers who want to go the next step by integrating their approaches for development and delivery of software. This book is for engineers who want to shape their processes and decide on and integrate open source tools and seek for guidance how to integrate standard tools in advanced real world use cases. Table of Contents Beginning DevOps for Developers Introducing DevOps Building Blocks of DevOps Quality and Testing Introduce Shared Incentives Gain Fast Feedback Unified and Holistic Approach Automatic Releasing Infrastructure as Code Specification by Example