research-article

Mitigation of SQL Injection Attacks using Threat Modeling

Authors:

Parminder KaurAuthors Info & Claims

ACM SIGSOFT Software Engineering Notes, Volume 39, Issue 6

Pages 1 - 6

https://doi.org/10.1145/2674632.2674638

Published: 09 December 2014 Publication History

Abstract

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is thought to be Unsecure Software Engineering. The Software Development process itself appears to look at security as an add-on to be checked and deployed towards the end of the software development lifecycle which leads to vulnerabilities in web applications. This paper is an attempt to integrate security in early stages of SDLC i.e. in design phase to mitigate SQLI vulnerability. How SQLI attack happens is illustrated. Threat Modeling is performed to mitigate the SQLI vulnerability.

References

[1]

3 approaches to threat modelling. Available at: http://myappsecurity.com/approaches-to-threat-modeling/, Last Visited: 5 September 2014.

[2]

Common Weakness Enumeration, Available at: http://cwe.mitre.org/top25/, last visited: 3 December 2013.

[3]

Howard, M. and LeBlanc, M. 2003. Writing Secure Code. 2nd ed. Redmond: Microsoft Corporation.

Digital Library

[4]

Kotonya, G. and Sommerville, I. 1998. Requirements Engineering: Processes and Techniques. John Wiley and Sons.

Digital Library

[5]

McGraw G., Potter B.2004. "Software security testing", IEEE Security and Privacy. 2(5):81--85.

Digital Library

[6]

Mead, N.R. and Mcgraw,G.2005. "A Portal for Software Security", IEEE Security & Privacy, vol. 3, pp. 75--79.

Digital Library

[7]

Microsoft Threat Modeling Tool-2014. Available at: http://blogs.msdn.com/b/sdl/archive/2014/04/15/introducing-microsoft-threat-modeling-tool-2014.aspx, last visited: 5 September 2014.

[8]

OWASP, Available at: https://www.owasp.org/index.php/Main_Page, last visited: 5 September 2014.

[9]

Security development Lifecycle, Available at: http://www.microsoft.com/security/sdl/default.aspx, Last Visited : 3 July 2014.

[10]

Security checklist web application design, Available at : http://www.sans.org/reading-room/whitepapers/secure code/security-checklist-webapplication-design-1389, last visited: 12 June 2014.

[11]

Sea Monster Tool, Available at: http://www.shields-project.eu/?q=node/30, last visited: 16 January 2014.

[12]

SHIELDS, Available at: http://www.shields-project.eu/?q=node/14,Last visited: 3 December 2013.

[13]

Sindre, G. and Opdahl, A. L. 2005.Eliciting security requirements with misuse cases. Requirements Eng. 10(1):34--44.

Digital Library

[14]

SQL Injection testing tools, Available at: http://efytimes.com/e1/fullnews.asp?edid=132535, last visited:5 September 2014.

[15]

Threats and Countermeasures. In: Improving Web Application Security: Threats and Countermeasures. Microsoft Corporation (Eds.), Chapter 2, Microsoft Press, USA, ISBN-13:978-0735618428, pp: 13--44.

[16]

Threat Modeling. In: Improving Web Application Security: Threats and Countermeasures. Microsoft Corporation (Eds.), Chapter 3, Microsoft Press, USA, ISBN-13:978-0735618428, pp: 45--66.

[17]

Threat Modeling- Past, Present, Future. Available at: http://myappsecurity.com/threat-modeling-past-present-future/, Last Visited : 5 September 2014.

[18]

TRIKE, Available at: http://octotrike.org/, Last Visited : 5 September 2014.

[19]

Verdon, D. and McGraw, G. 2004. "Risk analysis in software design", IEEE Security and Privacy.

Digital Library

[20]

William, J. and Wichers, D. 2013. OWASP Top 10-2013: The Ten Most Critical Web Application Security risks. Available at http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

Cited By

Chimuco FSequeiros JSimōes TFreire MInácio P(2024)Expediting the design and development of secure cloud-based mobile appsInternational Journal of Information Security10.1007/s10207-024-00880-623:4(3043-3064)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10207-024-00880-6
Rahim FJamil NCob ZSidek LSharizan@Sharizal N(2022)Risk Analysis of Water Grid Systems Using Threat ModelingJournal of Physics: Conference Series10.1088/1742-6596/2261/1/0120152261:1(012015)Online publication date: 1-Jun-2022
https://doi.org/10.1088/1742-6596/2261/1/012015
Viswanathan GJ P(2021)A hybrid threat model for system-centric and attack-centric for effective security design in SDLCWeb Intelligence10.3233/WEB-210452(1-11)Online publication date: 7-Oct-2021
https://doi.org/10.3233/WEB-210452
Show More Cited By

Mitigation of SQL Injection Attacks using Threat Modeling
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Threat-Driven Modeling and Verification of Secure Software Using Aspect-Oriented Petri Nets

Design-level vulnerabilities are a major source of security risks in software. To improve trustworthiness of software design, this paper presents a formal threat-driven approach, which explores explicit behaviors of security threats as the mediator ...
Shielding against SQL Injection Attacks Using ADMIRE Model
CICSYN '09: Proceedings of the 2009 First International Conference on Computational Intelligence, Communication Systems and Networks

In recent years, web applications have become tremendously popular. However, vulnerabilities are pervasive resulting in exposure of organizations and firms to a wide array of risks. In spite of many tools and techniques, attacks on web application ...
A threat-driven approach to modeling and verifying secure software
ASE '05: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering

This paper presents a formal approach to threat-driven modeling and verification of secure software using aspect-oriented Petri nets. Based on the behavior model of intended functions, we identify and build formal models of security threats, which are ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGSOFT Software Engineering Notes

ACM SIGSOFT Software Engineering Notes Volume 39, Issue 6

November 2014

56 pages

ISSN:0163-5948

DOI:10.1145/2674632

Editor:
Michael Wing

Issue’s Table of Contents

Copyright © 2014 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2014

Published in SIGSOFT Volume 39, Issue 6

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
987
Total Downloads

Downloads (Last 12 months)66
Downloads (Last 6 weeks)6

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chimuco FSequeiros JSimōes TFreire MInácio P(2024)Expediting the design and development of secure cloud-based mobile appsInternational Journal of Information Security10.1007/s10207-024-00880-623:4(3043-3064)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10207-024-00880-6
Rahim FJamil NCob ZSidek LSharizan@Sharizal N(2022)Risk Analysis of Water Grid Systems Using Threat ModelingJournal of Physics: Conference Series10.1088/1742-6596/2261/1/0120152261:1(012015)Online publication date: 1-Jun-2022
https://doi.org/10.1088/1742-6596/2261/1/012015
Viswanathan GJ P(2021)A hybrid threat model for system-centric and attack-centric for effective security design in SDLCWeb Intelligence10.3233/WEB-210452(1-11)Online publication date: 7-Oct-2021
https://doi.org/10.3233/WEB-210452
Haq IKhan T(2021)Penetration Frameworks and Development Issues in Secure Mobile Application Development: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2021.30882299(87806-87825)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3088229
Rajeh WAbed A(2017)A novel three-tier SQLi detection and mitigation scheme for cloud environments2017 International Conference on Electrical Engineering and Computer Science (ICECOS)10.1109/ICECOS.2017.8167160(33-37)Online publication date: Aug-2017
https://doi.org/10.1109/ICECOS.2017.8167160
Ostkamp MKray CBauer GZiegler JNebeling MNigay L(2015)Towards a privacy threat model for public displaysProceedings of the 7th ACM SIGCHI Symposium on Engineering Interactive Computing Systems10.1145/2774225.2775072(286-291)Online publication date: 23-Jun-2015
https://dl.acm.org/doi/10.1145/2774225.2775072
Omotunde HIbrahim R(2015)Mitigating SQL Injection Attacks via Hybrid Threat ModellingProceedings of the 2015 2nd International Conference on Information Science and Security (ICISS)10.1109/ICISSEC.2015.7371019(1-4)Online publication date: 14-Dec-2015
https://dl.acm.org/doi/10.1109/ICISSEC.2015.7371019

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents