This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ASIDE Project"
m |
m |
||
Line 5: | Line 5: | ||
We have presented our talk [http://d5srjexdxko0l.cloudfront.net/talks.html#ide Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. | We have presented our talk [http://d5srjexdxko0l.cloudfront.net/talks.html#ide Secure Programming Support in IDE] at [http://d5srjexdxko0l.cloudfront.net/ AppSec USA 2011] in Minneapolis. | ||
− | You can view and download our | + | You can view and download our[http://webpages.uncc.edu/~jxie2/ASIDE.pdf presentation]. |
==== Project About ==== | ==== Project About ==== |
Revision as of 17:17, 26 June 2012
Main
This project is led by [Jing Xie] & Bill Chu. Other major contributors include Jun Zhu, Heather Richter Lipford, John Melton & Will Stranathan.
We have presented our talk Secure Programming Support in IDE at AppSec USA 2011 in Minneapolis.
You can view and download ourpresentation.
Project About
OWASP ASIDE/ESIDEOWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [here]. OWASP ASIDE is led by [Mahmoud Mohammadi] and Bill Chu. Other major contributors include Jun Zhu ,Jing Xie, Heather Richter Lipford, Tyler Thomas, John Melton & Will Stranathan. IntroductionASIDE is an abbreviation for Application Security plugin for Integrated Development Environment. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs. DescriptionASIDE currently has three prototype implementations: ASIDE CodeRefactoring for Education, ASIDE CodeAnnotate which consists of two implementations, ASIDE JavaCodeAnnotate and ASIDE PHPCodeAnnotate. ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code. ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code. An older version of ASIDE DEMO shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it. Research Activities1. Mahmoud Mohammadi, Bill Chu and Heather Richter Lipford, “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA 2. Jun Zhu, Bill Chu, Heather Richter Lipford, Tyler Thomas, Mitigating Access Control Vulnerabilities through Interactive Static Analysis , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria 3. Jun Zhu, Jing Xie, and Bill Chu, Supporting Secure Programming in Web Applications through Interactive Static Analysis, In Journal of Advanced Research, Elsevier, December, 2013. 4. Jing Xie, Heather Richter Lipford, and Bill Chu, Evaluating Interactive Support for Secure Programming, In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA 5. Jing Xie, Bill Chu, Heather Richter Lipford, and John T. Melton, ASIDE:IDE Support for Web Application Security, In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA 6. Jing Xie, Heather Richter Lipford, and Bill Chu, Why do programmers make security errors?, In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA 7. Jing Xie, Bill Chu, and Heather Richter Lipford Interactive Support for Secure Software Development, In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain Relevant Research8. Heather Richter Lipford, Jing Xie, Bill Chu, etc The Impact of A Structured Application Development Framework on Web Application Security LicensingOWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
|
What is ASIDE/ESIDE?OWASP ASIDE provides:
ESIDE provides:
p.s. (Details about ESIDE are described [here].) Presentation1. Our talk Using Interactive Static Analysis for Early Detection of Software Vulnerabilities at AppSec USA 2012. You can view and download our presentation. 2. Our talk Secure Programming Support in IDE at AppSec USA 2011 in Minneapolis. You can view and download our presentation. Project Leaders[Mahmoud Mohammadi], Bill Chu, Jun Zhu Related ProjectsOpenhub
|
Quick DownloadRunnable plugins and installation guidelinesThe recent publicly available ASIDE CodeRefactoring plugin can be downloaded from here. You also need to download the complementary logging facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from here. ASIDE CodeAnnotate is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here. New! We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon Eclipse PDT framework, you can download the plugin here. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded here, and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here. A good PHP open source project you can try the plugin against is Moodle; Source CodeASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate Email ListProject Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project News and Events
In PrintN/A Classifications |
ASIDE project has been continuously under active research, development, and evaluation. Involvement in the development and promotion of ASIDE is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:
- Try ASIDE and email your feedback, comments to the project leaders.
- Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!
ESIDE
The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by Michael Whitney and Heather Richter Lipford. Other major contributors include Bill Chu and [Jun Zhu].
Introduction
ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning the student's IDE into a real-time secure programming instructional resource. This approach capitalizes on the out of class, in the IDE time by providing layered educational opportunities whenever the student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding principles and practices concurrently with the lessons they are learning in their respective courses.
Description
Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns (e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an interactive system that provides a layered educational opportunity. Because students are contextually “in the moment” when the support becomes available, they are more receptive to making the connection between classroom principles and coding practices. A secondary effect is the exponential increase in instructional exposure which has been proven to be successful in other instructional areas. The overall goal of ESIDE is to serve as an effective means to educate students at every level on the principles and practices of secure coding throughout their educational experience. To this end, we have developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates a layered educational intervention based on the targeted code. The first layer is a warning icon that is placed in the left margin of the code editor. Hovering the icon reveals a short message that encourages further interaction. When the student clicks the icon, ESIDE generates a content specific list of educational options. Each of these options are accompanied with a short explanation of the issue at hand. For each generated list, there also exists the option to access an explanation page that provides a more comprehensive explanation of what was discovered, why it is important, and how to integrate the provided principles into coding practices.
A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8
What ESIDE provides?
• Real-time IDE support for secure code education (Java).
• Identification of targeted Java code patterns.
• Interactive instructional opportunities for students in the IDE.
Publications
1. Michael Whitney, Heather Richter Lipford, Bill Chu, and Jun Zhu. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280
2. Jun Zhu, Heather Richter Lipford, and Bill Chu, Interactive Support for Secure Programming Education, In Proceedings of ACM Technical Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA
Runnable ESIDE Prototype and Installation Guidelines
The recent publicly available ESIDE plugin can be downloaded from here. You also need to download the complementary logging facility to make ESIDE work properly. ESIDE is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.
Open Source Code
The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.
Priorities and get involved
As of March 17, 2015 the priorities are:
1. Move xml into a database.
2. Create a public repository of customized ESIDE support for specific courses.
Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!
Take a Look
ASIDE is still under development. But in order to give you a sense of what it should be doing, we have this old version of ASIDE DEMO. You will need Adobe Flash to display it. A newer version will soon be uploaded.
Download
The first publicly available ASIDE can be downloaded now. You also need to download the complementary logging facility to make ASIDE work properly. ASIDE is built upon Eclipse IDE for Java EE Developers Version 3.5+.
To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.
Source Code
The source code is located at https://github.com/Jing-Xie/owasp-aside
Research Activities
1. Jing Xie, Heather Richter Lipford, and Bill Chu, Evaluating Interactive Support for Secure Programming, To appear at ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA
2. Jing Xie, Bill Chu, Heather Richter Lipford, and John T. Melton, ASIDE:IDE Support for Web Application Security, In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA
3. Jing Xie, Heather Richter Lipford, and Bill Chu, Why do programmers make security errors?, In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA
4. Jing Xie, Bill Chu, and Heather Richter Lipford Interactive Support for Secure Software Development, In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain