In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementi...In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementing robust security measures in modern web applications and the proof of the Methodology applied to Vue.js,Spring Boot,and MySQL architecture.The proposed approach addresses critical security challenges through a multi-layered framework that encompasses essential security dimensions including multi-factor authentication,fine-grained authorization controls,sophisticated session management,data confidentiality and integrity protection,secure logging mechanisms,comprehensive error handling,high availability strategies,advanced input validation,and security headers implementation.Significant contributions are made to the field of web application security.First,a detailed catalogue of security requirements specifically tailored to protect web applications against contemporary threats,backed by rigorous analysis and industry best practices.Second,the methodology is validated through a carefully designed proof-of-concept implementation in a controlled environment,demonstrating the practical effectiveness of the security measures.The validation process employs cutting-edge static and dynamic analysis tools for comprehensive dependency validation and vulnerability detection,ensuring robust security coverage.The validation results confirm the prevention and avoidance of security vulnerabilities of the methodology.A key innovation of this work is the seamless integration of DevSecOps practices throughout the secure Software Development Life Cycle(SSDLC),creating a security-first mindset from initial design to deployment.By combining proactive secure coding practices with defensive security approaches,a framework is established that not only strengthens application security but also fosters a culture of security awareness within development teams.This hybrid approach ensures that security considerations are woven into every aspect of the development process,rather than being treated as an afterthought.展开更多
To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities ...To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.展开更多
Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source cod...Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques.展开更多
Software engineering's lifecycle models havc proven to be very important for traditional software development. However, can these models be applied to the development of Web-based applications as well? In recent yea...Software engineering's lifecycle models havc proven to be very important for traditional software development. However, can these models be applied to the development of Web-based applications as well? In recent years, Web-based applications have become more and more complicated and a lot of efforts have been placed on introducing new technologies such as J2EE, PhP, and .NET, etc., which have been universally accepted as the development technologies for Web-based applications. However, there is no universally accepted process model for the development of Web-based applications. Moreover, shaping the process model for small medium-sized enterprises (SMEs), which have limited resources, has been relatively neglected. Based on our previous work, this paper presents an expanded lifecycle process model for the development of Web-based applications in SMEs. It consists of three sets of processes, i.e., requirement processes, development processes, and evolution processes. Particularly, the post-delivery evolution processes are important to SMEs to develop and maintain quality web applications with limited resources and time.展开更多
The emerging Model-Driven Engineering (MDE) paradigm advocates the use of models as first-class citizens in the software development process, while artifacts such as documentation and source-code can be quickly produc...The emerging Model-Driven Engineering (MDE) paradigm advocates the use of models as first-class citizens in the software development process, while artifacts such as documentation and source-code can be quickly produced from those models by using automated transformations. Even though many MDE-oriented approaches, languages and tools have been developed in the recent past, there is no standard that concretely defines a specific sequence of steps to obtain a functional software system from a model. Thus, the existing approaches present numerous differences among themselves, because each one handles the problems inherent to software development in its own way. This paper presents and discusses a reference model for the comparative study of current MDE approaches in the scope of web-application development. This reference model focuses on relevant aspects such as modeling language scope (domain, business-logic, user-interface), usage of patterns, separation of concerns, model transformations, tool support, and deployment details like web-platform independence and traditional programming required. The ultimate goal of this paper is to determine the aspects that will be of greater importance in future web-oriented MDE languages.展开更多
This paper presents a reference methodology for process orchestration that accelerates the development of Large Language Model (LLM) applications by integrating knowledge bases, API access, and deep web retrieval. By ...This paper presents a reference methodology for process orchestration that accelerates the development of Large Language Model (LLM) applications by integrating knowledge bases, API access, and deep web retrieval. By incorporating structured knowledge, the methodology enhances LLMs’ reasoning abilities, enabling more accurate and efficient handling of complex tasks. Integration with open APIs allows LLMs to access external services and real-time data, expanding their functionality and application range. Through real-world case studies, we demonstrate that this approach significantly improves the efficiency and adaptability of LLM-based applications, especially for time-sensitive tasks. Our methodology provides practical guidelines for developers to rapidly create robust and adaptable LLM applications capable of navigating dynamic information environments and performing effectively across diverse tasks.展开更多
文摘In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementing robust security measures in modern web applications and the proof of the Methodology applied to Vue.js,Spring Boot,and MySQL architecture.The proposed approach addresses critical security challenges through a multi-layered framework that encompasses essential security dimensions including multi-factor authentication,fine-grained authorization controls,sophisticated session management,data confidentiality and integrity protection,secure logging mechanisms,comprehensive error handling,high availability strategies,advanced input validation,and security headers implementation.Significant contributions are made to the field of web application security.First,a detailed catalogue of security requirements specifically tailored to protect web applications against contemporary threats,backed by rigorous analysis and industry best practices.Second,the methodology is validated through a carefully designed proof-of-concept implementation in a controlled environment,demonstrating the practical effectiveness of the security measures.The validation process employs cutting-edge static and dynamic analysis tools for comprehensive dependency validation and vulnerability detection,ensuring robust security coverage.The validation results confirm the prevention and avoidance of security vulnerabilities of the methodology.A key innovation of this work is the seamless integration of DevSecOps practices throughout the secure Software Development Life Cycle(SSDLC),creating a security-first mindset from initial design to deployment.By combining proactive secure coding practices with defensive security approaches,a framework is established that not only strengthens application security but also fosters a culture of security awareness within development teams.This hybrid approach ensures that security considerations are woven into every aspect of the development process,rather than being treated as an afterthought.
文摘To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.
文摘Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques.
文摘Software engineering's lifecycle models havc proven to be very important for traditional software development. However, can these models be applied to the development of Web-based applications as well? In recent years, Web-based applications have become more and more complicated and a lot of efforts have been placed on introducing new technologies such as J2EE, PhP, and .NET, etc., which have been universally accepted as the development technologies for Web-based applications. However, there is no universally accepted process model for the development of Web-based applications. Moreover, shaping the process model for small medium-sized enterprises (SMEs), which have limited resources, has been relatively neglected. Based on our previous work, this paper presents an expanded lifecycle process model for the development of Web-based applications in SMEs. It consists of three sets of processes, i.e., requirement processes, development processes, and evolution processes. Particularly, the post-delivery evolution processes are important to SMEs to develop and maintain quality web applications with limited resources and time.
文摘The emerging Model-Driven Engineering (MDE) paradigm advocates the use of models as first-class citizens in the software development process, while artifacts such as documentation and source-code can be quickly produced from those models by using automated transformations. Even though many MDE-oriented approaches, languages and tools have been developed in the recent past, there is no standard that concretely defines a specific sequence of steps to obtain a functional software system from a model. Thus, the existing approaches present numerous differences among themselves, because each one handles the problems inherent to software development in its own way. This paper presents and discusses a reference model for the comparative study of current MDE approaches in the scope of web-application development. This reference model focuses on relevant aspects such as modeling language scope (domain, business-logic, user-interface), usage of patterns, separation of concerns, model transformations, tool support, and deployment details like web-platform independence and traditional programming required. The ultimate goal of this paper is to determine the aspects that will be of greater importance in future web-oriented MDE languages.
文摘This paper presents a reference methodology for process orchestration that accelerates the development of Large Language Model (LLM) applications by integrating knowledge bases, API access, and deep web retrieval. By incorporating structured knowledge, the methodology enhances LLMs’ reasoning abilities, enabling more accurate and efficient handling of complex tasks. Integration with open APIs allows LLMs to access external services and real-time data, expanding their functionality and application range. Through real-world case studies, we demonstrate that this approach significantly improves the efficiency and adaptability of LLM-based applications, especially for time-sensitive tasks. Our methodology provides practical guidelines for developers to rapidly create robust and adaptable LLM applications capable of navigating dynamic information environments and performing effectively across diverse tasks.
