Abstract
The primary aim of web application development frameworks like Django is to provide a platform for developers to realize applications from concepts to launch as quickly as possible. While Django framework provides hooks that enable the developer to avoid the common security mistakes, there is no systematic way to assure compliance of a security policy while developing an application from various components. In this paper, we show the security flaws that arise by considering different versions of an application package and then show how, these mistakes that arise due to incorrect flow of information can be overcome using the Readers-Writers Flow Model that has the ability to manage the release and subsequent propagation of information.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
DBpatterns is a service that allows you to create, share, and explore database models on the web. Uses Django, Tastypie, Backbone and MongoDB.
References
Django. https://www.djangoproject.com
Facebook. http://www.facebook.com
LinkedIn. http://linkedin.com
Twitter.com. http://twitter.com
Google docs. https://www.google.co.in/docs/about/
Microsoft office online. https://office.live.com
Lampson, B.W.: Computer security in the real world. Computer 37(6), 37–46 (2004)
Gruber, T.: Collective knowledge systems: where the social web meets the semantic web. Web Semant.: Sci. Serv. Agents World Wide Web 6, 4–13 (2008)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. CACM 19(8), 461–471 (1976)
Ferraiolo, D., Kuhn, R.: Role-based access control. In: 15th NIST-NCSC, pp. 554–563 (1992)
Barkley, J., Cincotta, A., Ferraiolo, D., Gavrila, S., Kuhn, D.R.: Role based access control for the world wide web. In: 20th NCSC, pp. 331–340, April 1997
Kreizman, G.: Technology overview for externalized authorization management. https://www.gartner.com/doc/2358815/technology-overview-externalized-authorization-management
eXtensible access control markup language (XACML) version 3.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
Murugesan, S.: Understanding web 2.0. IT Prof. 9(4), 34–41 (2007)
Li, Z., Zhang, K., Wang, X.: Mash-IF: practical information-flow control within client-side mashups. In: IEEE/IFIP DSN (2010)
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)
Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: ACM 5th ASIACCS (2010)
De Ryck, P., Decat, M., Desmet, L., Piessens, F., Joosen, W.: Security of web mashups: a survey. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 223–238. Springer, Heidelberg (2012)
Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: ACM 16th SOSP, pp. 129–142 (1997)
Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Frans Kaashoek, M., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: ACM SIGOPS Operating Systems Review, vol. 41, no. 6, pp. 321–334. ACM (2007)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Zdancewic, S.: Challenges for information-flow security. In: Proceedings of the 1st International Workshop on the Programming Language Interference and Dependence (PLID04) (2004)
DBpatterns. http://www.dbpatterns.com
OWASP. https://www.owasp.org
Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)
Narendra Kumar, N.V., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: IEEE 4th BdCloud, pp. 753–760 (2014)
Narendra Kumar, N.V., Shyamasundar, R.K.: POSTER: dynamic labelling for analyzing security protocols. In: ACM 22nd CCS (2015)
Abadi, M.: Security protocols and their properties. In: Foundations of Secure Computation. NATO Science Series, pp. 39–60. IOS Press (2000)
Woo, T.Y.C., Lam, S.S.: A lesson on authentication protocol design. SIGOPS Oper. Syst. Rev. 28(3), 24–37 (1994)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Susheel, S., Narendra Kumar, N.V., Shyamasundar, R.K. (2015). Enforcing Secure Data Sharing in Web Application Development Frameworks Like Django Through Information Flow Control. In: Jajoda, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2015. Lecture Notes in Computer Science(), vol 9478. Springer, Cham. https://doi.org/10.1007/978-3-319-26961-0_34
Download citation
DOI: https://doi.org/10.1007/978-3-319-26961-0_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26960-3
Online ISBN: 978-3-319-26961-0
eBook Packages: Computer ScienceComputer Science (R0)