“An Empirical Study on Combining Diverse Static Analysis Tools for Web Security Vulnerabilities based on Development Scenarios”

From Navigators

(Difference between revisions)
Jump to: navigation, search
 
Line 4: Line 4:
|author=Paulo Nunes, Ibéria Medeiros, José Fonseca, Nuno Ferreira Neves, Miguel Correia, Marco Vieira,
|author=Paulo Nunes, Ibéria Medeiros, José Fonseca, Nuno Ferreira Neves, Miguel Correia, Marco Vieira,
|ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
|ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
-
|month=sep
+
|month=feb
-
|year=2018
+
|year=2019
|abstract=Automated Static Analysis Tools (ASATs) are one of the best ways to search for vulnerabilities in applications, so they are a resource widely used by developers to improve their applications. However, it is well-known that the performance of such tools is limited, and their detection capabilities may not meet the requirements of the project regarding the criticality of the application. Diversity is an obvious direction to take to improve the true positives, as different tools usually report distinct vulnerabilities, however with the cost of also increasing the false positives, which may be unacceptable in some scenarios. In this paper, we study the problem of combining diverse ASATs to improve the overall detection of vulnerabilities in web applications, considering four development scenarios with different criticality goals and constraints. These scenarios range from low budget to high-end (e.g., business critical) web applications.  We tested with five ASATs under two datasets, one with real WordPress plugins and another with synthetic test cases. Our findings revealed that combining the outputs of several ASATs does not always improve the vulnerability detection performance over a single ASAT. By using our procedure a developer is able to choose which is the best combination of ASATs that fits better in the project requirements.
|abstract=Automated Static Analysis Tools (ASATs) are one of the best ways to search for vulnerabilities in applications, so they are a resource widely used by developers to improve their applications. However, it is well-known that the performance of such tools is limited, and their detection capabilities may not meet the requirements of the project regarding the criticality of the application. Diversity is an obvious direction to take to improve the true positives, as different tools usually report distinct vulnerabilities, however with the cost of also increasing the false positives, which may be unacceptable in some scenarios. In this paper, we study the problem of combining diverse ASATs to improve the overall detection of vulnerabilities in web applications, considering four development scenarios with different criticality goals and constraints. These scenarios range from low budget to high-end (e.g., business critical) web applications.  We tested with five ASATs under two datasets, one with real WordPress plugins and another with synthetic test cases. Our findings revealed that combining the outputs of several ASATs does not always improve the vulnerability detection performance over a single ASAT. By using our procedure a developer is able to choose which is the best combination of ASATs that fits better in the project requirements.
-
|journal=Springer Computing
+
|journal=Computing
 +
|volume=101
 +
|number=2
 +
|pages=161–185
}}
}}

Latest revision as of 09:00, 19 July 2019

Paulo Nunes, Ibéria Medeiros, José Fonseca, Nuno Ferreira Neves, Miguel Correia, Marco Vieira

Computing, vol. 101, no. 2, pp. 161–185, Feb. 2019.

Abstract: Automated Static Analysis Tools (ASATs) are one of the best ways to search for vulnerabilities in applications, so they are a resource widely used by developers to improve their applications. However, it is well-known that the performance of such tools is limited, and their detection capabilities may not meet the requirements of the project regarding the criticality of the application. Diversity is an obvious direction to take to improve the true positives, as different tools usually report distinct vulnerabilities, however with the cost of also increasing the false positives, which may be unacceptable in some scenarios. In this paper, we study the problem of combining diverse ASATs to improve the overall detection of vulnerabilities in web applications, considering four development scenarios with different criticality goals and constraints. These scenarios range from low budget to high-end (e.g., business critical) web applications. We tested with five ASATs under two datasets, one with real WordPress plugins and another with synthetic test cases. Our findings revealed that combining the outputs of several ASATs does not always improve the vulnerability detection performance over a single ASAT. By using our procedure a developer is able to choose which is the best combination of ASATs that fits better in the project requirements.


Export citation

BibTeX

Project(s):

Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)

Personal tools
Navigators toolbox