REFERENCES12

[1] “Web application security trends report – q3-q4, 2009,”

Cenzic Inc., 2009.

[2] “UK security breach investigations report: An analysis of data

compromise cases security breach investigations report: An

analysis of data compromise cases,” 7safe, 2010.

[3] “Fall 09 website security statistics report,” WhiteHat Security,

Tech. Rep., 2009.

[4] A List Apart, “Findings from the a list apart survey for

people who make websites, 2008,” 2008. [Online]. Available:

http://aneventapart.com/alasurvey2008/

[5] “2010 CWE/SANS top 25 most dangerous programming

errors,” The MITRE Corporation, Tech. Rep., Feb 25 2010.

[Online]. Available: http://cwe.mitre.org/top25/

[6] “OWASP top 10,” OWASP, Tech. Rep., 2007. [Online].

Available: http://www.owasp.org/index.php/Top 10 2007

[7] “XSS (cross site scripting) prevention cheat sheet,” OWASP,

Jan 16 2010, available from http://www.owasp.org/.

[8] C. Jackson and H. J. Wang, “Subspace: Secure cross-domain

communication for web mashups,” in Proc. of the 16th International

World Wide Web Conference (WWW2007), Banff,

Alberta, May 8-12 2007.

[9] “Wordpress.” [Online]. Available: http://wordpress.com

[10] “phpbb.” [Online]. Available: http://www.phpbb.com

[11] “Half-million sites mostly running phpbb forum software

hacked in latest attack,” CyberInsecure.com, May 12 2008.

[12] “The web hacking incidents database 2009: Bi-annual report,”

Breach Security, Aug 2009.

[13] “IBM Internet Security Systems X-ForceR 2008 mid-year

trend statistics,” IBM Global Technology Services, Tech.

Rep., Jul 2008.

[14] “X-forceR 2009 trend and risk report: Annual review of

2009,” IBM Security Solutions, Tech. Rep., 2009.

[15] F. Howard, “Wordpress injection attack and “affiliate pingpong”,”

SophosLabs blog, 2010.

[16] C. Herley, “So long, and no thanks for the externalities:

The rational rejection of security advice by users,” Proc. of

The 2009 New Security Paradigms Workshop (NSPW’09), pp.

133—144, Sep 8-11 2009.

[17] A. Adams and M. A. Sasse, “Users are not the enemy,”

Communications of the ACM, vol. 42, no. 12, pp. 41–46,

1999.

[18] G. Wurster and P. C. van Oorschot, “The developer is the

enemy,” New Security Paradigms Workshop (NSPW’08), Sep

2008.

[19] A. Barth, C. Jackson, and J. C. Mitchell, “Robust defenses

for cross-site request forgery,” in Proc. of ACM Computer and

Communications Security (CCS’08), 2008.

[20] B. Sterne, “Security/csp/spec,” Mozilla Corporation, Tech.

Rep., 2009. [Online]. Available: https://wiki.mozilla.org/

Security/CSP

[21] T. Oda, G. Wurster, P. van Oorschot, and A. Somayaji,

“SOMA: Mutual approval for included content in web pages,”

in Proc. of ACM Computer and Communications Security

(CCS’08), Oct 27-31 2008, pp. 89–98.

[22] P. Smith, “Top 10 firefox extensions to avoid,” Computerworld,

Apr 2007.