The world-wide web has become one of computing's great success stories, changing the way that people around the world communicate, compute, and conduct their business. Unfortunately, security problems on the web are prevalent, and these problems increase costs for website operators and for Internet users. This project aims to develop new methods for securing the web, providing website developers and operators with new and improved tools to protect their site and their users.
The research involves several technical directions. First, to help protect existing websites, this project will investigate ways of hardening legacy web application code to defend it against the most common attacks. Second, to provide a solid foundation for web systems of the future, this project will study how to provide robust protection for newly developed code. The project will also study web development frameworks that are safe by construction. Third, this project will develop tools and techniques to incrementally migrate existing web applications to next-generation safe-by-construction web frameworks. Fourth, this project will devise and carry out user studies to measure rigorously the effect of different programming languages, frameworks, and programming practices upon the security of web applications. The broader impacts resulting from the proposed activity are potentially significant; if it is successful, this research could have a significant positive impact on the security of web services and, in the longer term, on software security in general.
