Secure coding practices for web applications

Abstract

Web applications comprise a large proportion of the contemporary Internet with many of them dealing with sensitive information and handling critical operations whose compromise could result in large monetary and privacy costs. Naturally, the security of web applications has become an increasingly important issue as web technologies are utilized more and more. The overall security of web applications has improved over the past years. However, the current state of application security leaves much to be desired. The relevant surveys suggest that most vulnerabilities originate in the source code of the application. To that end, the incorporation of security controls throughout the software development lifecycle (SDLC) has emerged as the most prominent solution for detecting security defects early and fixing them with minimal cost and overhead. There are several guidelines proposed by the literature for integrating security in each phase of the SDLC. In this work, we focus mainly on two guidelines pertaining to the Development phase of the SDLC. Specifically, we focus on the secure coding best practices available for Java, PHP, and .NET and on automated and manual code review for security issues. The automated code review is performed using the SonarQube and Reshift static analysis tools to analyze the applications Apache Unomi and dotCMS. The results are manually reviewed for distinction in true and false positives providing insights into the state of secure coding awareness in the industry and the state of the art in static analysis.