An evaluation of how web frameworks support developers to build secure applications
Leppänen, Kim (2024)
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi-fe202401213593
https://urn.fi/URN:NBN:fi-fe202401213593
Tiivistelmä
An increasing number of applications are being built for the web. For this task, developers typically use a number of different frameworks to ease and speed up the development. Frameworks can make complex problems easy by providing tools, patterns and abstraction layers, but can frameworks help developers in one often forgotten area: the application’s security?
Vulnerabilities in web applications can originate from many different sources. A vulnerability might exist due to improper implementation, but also due to poor design. A feature that has been designed in an insecure manner, cannot necessarily be made secure even with a perfect implementation.
The purpose of this thesis is to evaluate how modern web frameworks can help developers build more secure applications. What aspects of security is something a framework can independently manage, what kind of tools can a framework provide the developer to guide them build secure software and what parts of the security is such that a framework cannot manage and is left solely as the responsibility of the developer.
An example application using Vaadin Flow and Spring Boot frameworks, both modern Java based tools, was written for this thesis. The example application was then security tested for vulnerabilities described in the OWASP Top Ten list. The purpose of the evaluation was to understand, which vulnerabilities were directly mitigated by the frameworks and which aspects of the application security is something the developers must understand and mitigate themselves.
This thesis found that only a few explicit technical vulnerabilities were mitigated by the frameworks, while some of the vulnerabilities were such that frameworks could guide the developers by providing tools, but could not ensure full mitigation of the vulnerabilities. To properly secure an application, collaboration is needed between software, network, system, and security engineers, and good DevSecOps practices need to be implemented.
Vulnerabilities in web applications can originate from many different sources. A vulnerability might exist due to improper implementation, but also due to poor design. A feature that has been designed in an insecure manner, cannot necessarily be made secure even with a perfect implementation.
The purpose of this thesis is to evaluate how modern web frameworks can help developers build more secure applications. What aspects of security is something a framework can independently manage, what kind of tools can a framework provide the developer to guide them build secure software and what parts of the security is such that a framework cannot manage and is left solely as the responsibility of the developer.
An example application using Vaadin Flow and Spring Boot frameworks, both modern Java based tools, was written for this thesis. The example application was then security tested for vulnerabilities described in the OWASP Top Ten list. The purpose of the evaluation was to understand, which vulnerabilities were directly mitigated by the frameworks and which aspects of the application security is something the developers must understand and mitigate themselves.
This thesis found that only a few explicit technical vulnerabilities were mitigated by the frameworks, while some of the vulnerabilities were such that frameworks could guide the developers by providing tools, but could not ensure full mitigation of the vulnerabilities. To properly secure an application, collaboration is needed between software, network, system, and security engineers, and good DevSecOps practices need to be implemented.