Web Quality, Security, and Testing 2012 (WebQUeST)       


Web Quality, Security, and Testing 2012 (WebQUeST) - overview

Web Quality, Security, and Testing 2012 (WebQUeST)

Workshop at FSE 2012

Monday, November 12

Research Triangle Park, North Carolina

WebQUeST will focus on software quality, testing and security for Web applications. Web quality receives much attention in the research community, with a wide range of different techniques being being brought to bear. This workshop will bring together academics and practitioners to discuss common challenges and potential synergies. This year, WebQUeST will focus on the server side of Web applications; even as more application logic is deployed to rich clients, many critical security and quality problems are manifest only in interaction with the server side. Many injection attacks, for instance, target data on the server side.

In addition, there are quality issues that arise from the relatively long-running nature of a server as opposed to a client and from how a typical server program interacts with system resources such as files, network connections and databases. While these are mostly not security issues directly, they sometimes can be exploited in denial-of-service attacks. A few key issues of interest are below, but they are not meant to be exclusive:

Memory management.
Servers in general need to provide memory for individual requests, which can lead to memory bloat or even memory leaks and ultimately cause the server to run out of memory.

Resource management.
Servers also need often to interact with external resources such as databases; these often require explicit management of e.g. database connections, which can be leaked and ultimately cause failures due to resource exhaustion.

Session state.
The stateless nature of HTTP complicates sustaining user ``transactions'' with the server. Solutions have ranged from cookies and time-limited transactions to continuation-passing.

We are interested in presentations about the gamut of quality and security issues on the server side---especially issues that arise in long-running servers but also in issues the pertain even to a single request, e.g. injection vulnerabilities.

We do not expect that the invited talks to be be fully comprehensive over such a broad topic. Hence, if you do research in this area, you are encouraged to submit a talk abstract describing your own work in this area. We will thus create a genuinely comprehensive program describing the range of approaches to software quality for Web applications.

In particular, the approaches that we are considering are the following, but this list is not meant to be exclusive. If participants propose to present novel approaches not on this list, that will be welcome.

static analysis
means using traditional program analysis techniques to look for potential quality issues in code as it is being developed. Examples include type inference to look for potential misapplication of functions in scripting languages like JavaScript, and dataflow-based taint analysis that looks for potential dangers like injection attacks.

comprises a variety of dynamic techniques that run Web applications, looking for quality problems. Within this scope, we are interested in techniques that enhance the effectiveness of testing by, e.g., generating test suites with improved coverage. Techniques that can dynamically detect issues like tainted data flows are of great interest as well.

statistical techniques
rely on comparing pieces of code to known examples of bad and good code, possibly based on features chosen to help distinguish such code. Such techniques can, conceptually, be either static or dynamic, working at the level of source code or runtime operations. We are especially interested in the application of machine learning in this domain.

to improve software quality is beginning to be applied to scripting languages heavily used in Web applications. Given the dynamic and often idiosyncratic nature of such languages, a key question is what kinds of refactorings are desirable and how much scope there is to implement fully automatic systems.

In addition to representing many different approaches, we shall also represent several kinds of participants:

academic researchers
have built many of the techniques currently employed for Web quality, and they continue to do foundational work across all the approaches. Such participants will share novel core ideas, and will gain empirical insights that other participants have.

industry practitioners
develop software and service offerings pertaining to Web quality; there have been an increasing wealth of such offerings recently, especially in the space of security. Such participants will share insights and challenges of how to get techniques used in real tools, and will learn novel ideas from researchers.

browser developers
write the code by which most people use Web applications. They have a unique perspective based on the kinds of techniques that can be employed to catch quality problems when the user sees them. They can help practitioners and researchers understand what kinds of tools and techniques can be most helpful.

Workshop Format

Given the goal of having an exchange amongst the diverse approaches and perspectives of people working in this space, we shall focus the workshop around a series of invited talks, submitted talks and discussions.

Invited Speakers
will give structure to this workshop by covering the range of approaches in this research area.

Submitted Talks
will round out the program by encouraging participants to introduce approaches or perspectives that the invited program has overlooked. You are encouraged to submit talk abstracts describing their own work in this space. The submitted talks will be given time as the schedule allows, but hopefully at least 10-15 minutes.

will be where the diverse participants of this workshop will be able to exchange ideas. We will leave them relatively unstructured; we shall have a range of topics for discussion prepared in advance, based on issues raised by the different talks.

Submitted Presentation Procedure

We will not an official proceedings, but you are encouraged to submit an outline for a brief talk. There will not be a separate program committee to review attendee talks; the organizers will lightly referee submitted talk abstracts for relevance, but we are looking for ongoing work more than finished research projects. To submit, please send your abstract as an e-mail to the organizers, specifically to dolby@us.ibm.com, by Friday, September 7.

Anyone giving a talk may also choose to submit a 1-2 page position paper to add material to the talk, and we will make such papers available along with the slides of all talks. However, this is not to be a formal proceedings, since we want to encourage discussion of ongoing research ideas without precluding future publications in workshops and conferences.

This article has been translated to Serbo-Croatian language by Anja Skrba from Webhostinggeeks.com