ROCK HILL, SOUTH CAROLINA – A Winthrop University faculty member and three students spent the 2019-20 academic year examining the state of web security over time.
The group, led by Andrew Besmer from the Department of Computer Science and Quantitative Methods, secured a research grant from Amazon with two University of North Alabama (UNA) faculty members, Jason Watson and M. Shane Banks, to conduct a longitudinal study of the security on the web. Two of the three Winthrop seniors involved used their research for their honors thesis.
Their grant reasoned that the safety of private information is directly affected by the security protocols utilized on websites. By examining the usage of those headers over time, it is possible to see how quickly and widely those protocols are adopted by websites. Additionally, once those protocols are no longer useful and become deprecated, the team looked at how long it takes before a rollback starts to occur.
The Winthrop students met weekly in the Linux lab in Thurmond Hall and virtually with their UNA counterparts to come up with ideas and write code to carry out their research.
“In examining the prevalence of protocols across the web, we got an idea of how ‘secure’ the web is. Looking at how these protocols trend over time, as our project did, reveals even more,” said Nolan Worthy ’20, a computer science major from Simpsonville, South Carolina. “Our project's goal was to reveal these trends to determine how secure the web is, and therefore how secure users' private information is, as well as where improvements in security can be made.”
Worthy and fellow computer science majors Joshua Paytosh ’20 and Connor Leyers ’20 worked on the project from August 2019 through the end of the spring 2020 semester. Leyers served as the primary implementer of Amazon Web Services (AWS) resources. The three worked together to configure and maintain the cloud computers they used to help “crunch the numbers” every time they tested a new segment of code.
Worthy’s thesis examined trends in use of HTTP response headers that relate to security, including how long it takes for security headers to become widely adopted after release and how quickly they are phased out after deprecation. Their data came from Common Crawl’s monthly web crawls that collect data from what they considered to be the entire internet.
For each website in the dataset, they checked from January 2015 to February 2020 for the presence of 21 different HTTP response headers that pertain to security. Each header’s adoption rate is revealed by determining the percentage of hosts in which each header is present. Analyzing monthly adoption rates over time shows adoption or abandonment as adoption rate increased or decreased.
Meanwhile, Paytosh’s thesis examined the security of websites for Fortune 500 companies.
Everyone, he said, in some capacity or another, is aware of their "digital footprint" on the web. “When people are given the option or know-how, they do what it takes to secure their information against being compromised,” Paytosh said. “By understanding how global entities (Fortune 500 companies, government organizations, domestic/non-domestic commercial organizations, etc.) enact their security on the web, you can get a sense for how well they prioritize things like security inside their organization.”
He found the project experience very valuable. “It taught me a great deal about how to work as a team. It also was helpful in learning about the usage of Python for analyzing data with Spark,” he said. “These sorts of things can be valuable for a resume and my personal skill set in general. I also thought it was interesting how across the entire internet, adoption of security headers seemed to be low in general.”
Leyers said computer users need to be mindful of web security as it can truly devastate a large population very quickly. “Many people aren't fully aware of how much personal information is stored on their computers and being aware of the potential risks is the first step in the right direction to securing yourself digitally,” said the Greenville, South Carolina resident.
He has taken a job with The Boeing Company working with the Cyber, Space, and Security division on GPS operations as a software engineer.
Besmer said the students weren't the only ones to learn from the experience. "My collaborators and I learned a lot and the other students who heard about the project also became curious, asked their own questions, and generally became more aware of HTTP security headers in general," he said.
Besmer held a follow up session after the spring semester ended that was attended by a number of students. "Students are interested in these skills and want to know how they can work with petabyte scale data," he said. "We talk about big data but this was a way to make it real and practical. There is a big difference between talking about being aware of bottlenecks in your code and actually seeing one happen live on the cluster."
For more information, contact Besmer at besmera@winthrop.edu.
