GuardRails: A Data-Centric Web Application Security Framework
Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and
USENIX Conference on Web Application Development (WebApps
Portland, Oregon, 15-16 June 2011
Modern web application frameworks have made it easy to create powerful
web applications. Developing a secure web application, however, still
requires a developer to posses a deep understanding of security
vulnerabilities and attacks. Even for experienced developers it is
tedious, if not impossible, to find and eliminate all vulnerabilities.
This paper presents GuardRails, a source-to-source tool for Ruby on
Rails that helps developers build secure web applications. GuardRails
works by attaching security policies defined using annotations to the
data model itself. GuardRails produces a version of the input
application that automatically enforces the specified policies.
GuardRails helps developers prevent a myriad of security problems
including cross-site scripting attacks and access control violations
while providing a large degree of flexibility to support a range of
policies and development styles.
Full paper (12 pages): [PDF
Talk slides: [PPTX]