Programming-based vulnerability identification: best programming practices for more secure computer systems

Identificación de vulnerabilidades basados en programación: buenas prácticas de programación para sistemas informáticos más seguros

Published 2025-01-31

Open | Download
PDF (Spanish) FLIP
Issue
Vol. 12 No. 23 (2025): Revista Ingeniería, Matemáticas y Ciencias de la Información
Section
Artículos
How to Cite
[1]
A. L. Puerta Corredor, M. A. Barrera Lasso, and E. Garnica Estrada, “Programming-based vulnerability identification: best programming practices for more secure computer systems”, Rev. Ing. Mat. Cienc. Inf, vol. 12, no. 23, pp. 121–137, Jan. 2025, doi: 10.21017/rimci.1132.
doi

https://doi.org/10.21017/rimci.1132
Dimensions
PlumX
license
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

 

Esta obra está bajo una licencia internacional

Atribución/Reconocimiento 4.0 Internacional
Angie Lorena Puerta Corredor
Corporación Universitaria Republicana image/svg+xml
    https://orcid.org/0009-0001-8838-0401

    Michael Alexander Barrera Lasso
    Corporación Universitaria Republicana image/svg+xml
      https://orcid.org/0009-0009-2999-4583

      Evelyn Garnica Estrada
      Corporación Universitaria Republicana
        https://orcid.org/0000-0002-6205-7817

        Show authors biography

        Angie Lorena Puerta Corredor,

        Estudiante décimo semestre Ingeniería de Sistemas de la Corporación Universitaria Republicana.  ORCID: https://orcid.org/0009-0001-8838-0401  Correo electrónico: al.puerta@urepublicana.edu.co

        Michael Alexander Barrera Lasso,

         Estudiante décimo semestre Ingeniería de Sistemas de la Corporación Universitaria Republicana.

        Evelyn Garnica Estrada,

        Doctora en Educación, Magister en Dirección de Proyectos, Ingeniera de Diseño y Automatización Electrónica. Docente Investigadora de la Corporación Universitaria Republicana.

        This document will analyze various programming-based vulnerabilities. It will present a comprehensive analysis of the research conducted, along with concrete examples illustrating these vulnerabilities. In addition, practical recommendations will be provided for the prevention and mitigation of malicious attacks carried out by adversarial agents. The objective of this work is to raise awareness among companies about the critical importance of implementing robust cybersecurity measures.

        Article visits 3 | PDF visits 1

        Downloads

        Download data is not yet available.
        1. M. Howard, D. LeBlanc y J. Viega, 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York, NY, USA: McGraw-Hill, 2021.
        2. Cybersecurity and Infrastructure Security Agency (CISA), “Securing Web Applications: Mitigating Common Vulnerabilities,” U.S. Department of Homeland Security, Washington, D.C., USA, Tech. Rep. 2023.
        3. OWASP Foundation, “OWASP Top Ten 2021,” Open Worldwide Application Security Project, 2021. [Online]. Available: https://owasp.org/www-project-top-ten/
        4. National Institute of Standards and Technology (NIST), NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. Gaithersburg, MD, USA: NIST, 2020.
        5. M. Christakis and C. Bird, “What Developers Want and Need from Program Analysis: An Empirical Study,” Proc. IEEE/ACM 41st Int. Conf. Softw. Eng., May 2021.
        6. B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C. Hoboken, NJ, USA: Wiley, 2021.
        7. A. J. Menezes, P. C. van Oorschot, y S. A. Vanstone, Handbook of Applied Cryptography. Boca Raton, FL, USA: CRC Press, 2021.
        8. S. Garfinkel y G. Spafford, Web Security, Privacy and Commerce. Sebastopol, CA, USA: O'Reilly Media, 2023.
        9. Verizon, “2023 Data Breach Investigations Report,” Verizon Communications, 2023. [Online]. Available: https://www.verizon.com/dbir/
        10. M. Bishop, Computer Security: Art and Science, 2nd ed. Boston, MA, USA: Addison-Wesley, 2019.
        11. G. McGraw, Software Security: Building Security In. Boston, MA, USA: Addison-Wesley, 2021.
        12. C. Bird et al., “DevSecOps: Integrating Security in Agile Development,” IEEE Security & Privacy, vol. 19, no. 3, pp. 45–53, May 2021.
        13. S. J. Vaughan-Nichols, “DevSecOps: Building Security into CI/CD Pipelines,” IEEE Comput., vol. 53, no. 9, pp. 14–19, Sep. 2022.
        14. J. Williams, “SQL Injection Attack Detection Techniques,” IEEE Trans. Inf. Forensics Secur., vol. 18, no. 5, pp. 423–432, 2023.
        15. OWASP Foundation, "Cross-Site Scripting (XSS)," OWASP, 2021. [Enlace]. Available: https://owasp.org/www-community/attacks/xss.
        16. OWASP Foundation, "Cross-Site Request Forgery (CSRF)," OWASP, 2021. [Enlace]. Available: https://owasp.org/www-community/attacks/csrf.
        17. A. K. Ghosh, “Mitigating Buffer Overflow Vulnerabilities,” IEEE Softw., vol. 38, no. 6, pp. 60–66, Nov. 2021.
        18. S. Murtaza, "Buffer overflow attacks," GeeksforGeeks, 2020. [Enlace]. Available: https://www.geeksforgeeks.org/buffer-overflow-attack/.
        19. OWASP Foundation, "Using components with known vulnerabilities," OWASP, 2021. [Enlace]. Available: https://owasp.org/www-community/Vulnerabilities/Using_Components_with_Known_Vulnerabilities.
        20. F. Wu, “Security Concerns in JWT Implementations,” IEEE Comput., vol. 55, no. 1, pp. 28–35, Jan. 2023.
        21. Kinsta. "Ataque CSRF: qué es, cómo funciona y cómo prevenirlo." Kinsta Blog, https://kinsta.com/es/blog/ataque-csrf/. Consultado el 12 de octubre de 2024.
        22. J. Viega & G. McGraw, Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley. 2001.
        23. OWASP Foundation, “OWASP Zed Attack Proxy (ZAP),” [Online]. Available: https://owasp.org/www-project-zap/
        24. M. Howard & D. LeBlanc, Writing Secure Code (2nd ed.). Microsoft Press. 2003.
        25. R. Sandhu, E. J. Coyne, H. L. Feinstein & C. E. Youman, Role-Based Access Control Models. IEEE Computer, 29(2), 38–47. https://doi.org/10.1109/2.485845 1996.
        26. B. Chess & J. West, Secure Programming with Static Analysis. Addison-Wesley. 2007.
        27. PortSwigger Ltd., “Burp Suite Professional,” 2023. [Online]. Available: https://portswigger.net/burp
        28. Tenable, Inc., “Nessus Vulnerability Scanner,” 2023. [Online]. Available: https://www.tenable.com/products/nessus
        29. SonarSource S.A., “SonarQube Documentation,” 2023. [Online]. Available: https://www.sonarsource.com/products/sonarqube/
        30. CIRT.net, “Nikto Web Scanner,” 2023. [Online]. Available: https://cirt.net/Nikto2
        31. Snyk Ltd., “Snyk Open Source Security,” 2023. [Online]. Available: https://snyk.io/
        32. ISO/IEC, ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection – Information security management systems – Requirements, International Organization for Standardization, Geneva, 2022.
        33. PCI Security Standards Council, Payment Card Industry Data Security Standard – Requirements and Security Assessment Procedures, Version 4.0, Mar. 2022. [Online]. Available: https://www.pcisecuritystandards.org/
        34. European Union, General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, Official Journal of the European Union, Apr. 2016.
        35. ISACA, COBIT 2019 Framework: Governance and Management Objectives, ISACA, Schaumburg, IL, USA, 2019.
        Tutorials

        Autors:

        How send article?

        Evaluator pair

        How to evaluate an article?

        Information

        Current Issue

        QR code

        Más leídos en los últimos 30 días

        Sistema OJS 3.4.0.5 - Metabiblioteca |