An official website of the United States government
The security threats to mobile applications are growing explosively. Mobile apps flaws and security defects open doors for hackers to break in and access sensitive information. Defensive requirements analysis should be an integral part of secure mobile SDLC. Developers need to consider the information confidentiality and data integrity, to verify the security early in the development lifecycle rather than fixing the security holes after attacking and data leaks take place. Early eliminating known security vulnerabilities will help developers increase the security of apps and reduce the likelihood of exploitation. However, many software developers lack the necessary security knowledge and skills at the development stage, and that's why Secure Mobile Software Development education is very necessary for mobile software engineers. In this paper, we propose a guided security requirement analysis based on OWASP Mobile Top ten security risk recommendations for Android mobile software development and its traceability of the developmental controls in SDLC. Building secure apps immune to the OWASP Mobile Top ten risks would be an effective approach to provide very useful mobile security guidelines.
more »
« less
DroidPatrol: A Static Analysis Plugin For Secure Mobile Software Development
While the number of mobile applications are rapidly growing, these applications are often coming with numerous security flaws due to the lack of appropriate coding practices. Security issues must be addressed earlier in the development lifecycle rather than fixing them after the attacks because the damage might already be extensive. Early elimination of possible security vulnerabilities will help us increase the security of our software and mitigate or reduce the potential damages through data losses or service disruptions caused by malicious attacks. However, many software developers lack necessary security knowledge and skills required at the development stage, and Secure Mobile Software Development (SMSD) is not yet well represented in academia and industry. In this paper, we present a static analysis-based security analysis approach through design and implementation of a plugin for Android Development Studio, namely DroidPatrol. The proposed plugins can support developers by providing list of potential vulnerabilities early.
more »
« less
- PAR ID:
- 10104316
- Date Published:
- Journal Name:
- Proc. of 43rd IEEE Conference on Computer, Software and Applications (COMPSAC)
- Page Range / eLocation ID:
- 565 to 569
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
While the number of mobile and web applications is growing exponentially, the mobile and web security threat landscape is growing explosively. Malicious malware may attack vulnerable applications and obtain personal or enterprise confidential data anywhere and anytime. Most vulnerabilities should be addressed and fixed during the early stages of software development. However, many software development professionals lack the awareness of the importance of security vulnerabilities and the necessary knowledge and skills at the software development stage. This paper addresses the needs and challenges of the lack of pedagogical materials and real-world learning environment in ProActive Control for Software Security (PASS) through effective, engaging, and investigative authentic learning approaches.more » « less
-
The security threats to mobile application are growing explosively. Mobile app flaws and security defects could open doors for hackers to easily attack mobile apps. Secure software development must be addressed earlier in the development lifecycle rather than fixing the security holes after attacking. Early eliminating against possible security vulnerability will help us increase the security of our software, and militate the consequence of damages of data loss caused by potential malicious attacking. However, many software developer professionals lack the necessary security knowledge and skills at the development stage and Secure Mobile Software Development (SMSD) is not yet well represented in current computing curriculum. In this paper we present a static security analysis approach with open source FindSecurityBugs plugin for Android Studio IDE. We categorized the common mobile vulnerability for developers based on OWASP mobile security recommendations and developed detectors to meet the SMSD needs in industry and education.more » « less
-
The security threats to mobile application are growing explosively. Mobile app flaws and security defects could open doors for hackers to easily attack mobile apps. Secure software development must be addressed earlier in the development lifecycle rather than fixing the security holes after attacking. Early eliminating against possible security vulnerability will help us increase the security of our software, and militate the consequence of damages of data loss caused by potential malicious attacking. However, many software developer professionals lack the necessary security knowledge and skills at the development stage and Secure Mobile Software Development (SMSD) is not yet well represented in current computing curriculum. In this paper we present a static security analysis approach with open source FindSecurityBugs plugin for Android Studio IDE. We categorized the common mobile vulnerability for developers based on OWASP mobile security recommendations and developed detectors to meet the SMSD needs in industry and education.more » « less
-
We present an ethnographic study of secure software development processes in a software company using the anthropological research method of participant observation. Two PhD students in computer science trained in qualitative methods were embedded in a software company for 1.5 years of total research time. The researchers participated in everyday work activities such as coding and meetings, and observed software (in)security phenomena both through investigating historical data (code repositories and ticketing system records), and through pen-testing the developed software and observing developers’ and management’s reactions to the discovered vulnerabilities. Our study found that 1) security vulnerabilities are sometimes intentionally introduced and/or overlooked due to the difficulty in managing the various stakeholders’ responsibilities in an economic ecosystem, and cannot be simply blamed on developers’ lack of knowledge or skills; 2) accidental vulnerabilities discovered in the pen-testing process produce different reactions in the development team, often times contrary to what a security researcher would predict. These findings highlight the nuanced nature of the root causes of software vulnerabilities and indicate the need to take into account a significant amount of contextual information to understand how and why software vulnerabilities emerge during software development. Rather than simply addressing deficits in developer knowledge or practice, this research sheds light on at times forgotten human factors that significantly impact the security of software developed by actual companies. Our analysis also shows that improving software security in the development process can benefit from a co-creation model, where security experts work side by side with software developers to better identify security concerns and provide tools that are readily applicable within the specific context of the software development workflow.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1109/COMPSAC.2019.00087
