Evaluating Security in Web Application Frameworks

Abstract

The emerging trend of providing business, government and academic services through the World Wide Web, and subsequent value availability, has caused an acceleration in the number and sophistication of web application threats. Since the consequences of security breaches in web applications can be severe, there is an increasing demand for proper security mechanisms. At the same time the decreased time-frame of web application development projects has led to numerous Web Application Frameworks, which are extensible skeletons allowing developers to focus on business logic instead of application setup. Since such frameworks encapsulate and often hide implementation details, developers should not use them without reserve, especially when it comes to security features. To aid developers investigate such security features we have in this project created a method for evaluating security in Web Application Frameworks. Our focus has been to create a straight-forward method which developers can perform themselves that encourages information sharing through graphical representation. To demonstrate the method we have evaluated Ruby on Rails, a popular Web Application Framework.