Home // International Journal On Advances in Software, volume 10, numbers 3 and 4, 2017 // View article

Applying Information Flow Tracking to the Development Cycle

Authors:
Pål Ellingsen
Thomas Lie

Keywords: Information flow tracking; taint analysis; iterative development; software security; injection attacks

Abstract:
Information flow vulnerabilities such as Structured Query Language (SQL) Injection and Cross-Site Scripting are highly relevant issues in web applications. This article expands on a an earlier paper by the authors to investigate how to apply information flow tracking in the form of taint analysis to detect this domain of vulnerabilities in. Different types of taint analysis implementations exists and a challenge is how web application frameworks are handled by the taint analysis implementation. This technique is tested by a developing a prototype application for a company covering a genuine need. This application also functions as an artefact application in conducting taint analysis. Using this artefact, a proposed solution for integrating taint analysis in the process of developing Java EE web applications is tested. Analysing the results, it is shown that it is possible to integrate taint analysis in the development cycle, but it is also made clear that the technique must be improved to properly support its use in an automated build system.

Pages: 397 to 412

Copyright: Copyright (c) to authors, 2017. Used with permission.

Publication date: December 31, 2017

Published in: journal

ISSN: 1942-2628