Cargando…
Supporting secure programming in web applications through interactive static analysis
Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to appl...
| Autores principales: | , , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
Elsevier
2014
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4294755/ https://www.ncbi.nlm.nih.gov/pubmed/25685513 http://dx.doi.org/10.1016/j.jare.2013.11.006 |
| _version_ | 1782352763825422336 |
|---|---|
| author | Zhu, Jun Xie, Jing Lipford, Heather Richter Chu, Bill |
| author_facet | Zhu, Jun Xie, Jing Lipford, Heather Richter Chu, Bill |
| author_sort | Zhu, Jun |
| collection | PubMed |
| description | Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases. |
| format | Online Article Text |
| id | pubmed-4294755 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2014 |
| publisher | Elsevier |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-42947552015-02-14 Supporting secure programming in web applications through interactive static analysis Zhu, Jun Xie, Jing Lipford, Heather Richter Chu, Bill J Adv Res Original Article Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases. Elsevier 2014-07 2013-12-05 /pmc/articles/PMC4294755/ /pubmed/25685513 http://dx.doi.org/10.1016/j.jare.2013.11.006 Text en © 2013 Production and hosting by Elsevier B.V. http://creativecommons.org/licenses/by-nc-nd/3.0/ This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/). |
| spellingShingle | Original Article Zhu, Jun Xie, Jing Lipford, Heather Richter Chu, Bill Supporting secure programming in web applications through interactive static analysis |
| title | Supporting secure programming in web applications through interactive static analysis |
| title_full | Supporting secure programming in web applications through interactive static analysis |
| title_fullStr | Supporting secure programming in web applications through interactive static analysis |
| title_full_unstemmed | Supporting secure programming in web applications through interactive static analysis |
| title_short | Supporting secure programming in web applications through interactive static analysis |
| title_sort | supporting secure programming in web applications through interactive static analysis |
| topic | Original Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4294755/ https://www.ncbi.nlm.nih.gov/pubmed/25685513 http://dx.doi.org/10.1016/j.jare.2013.11.006 |
| work_keys_str_mv | AT zhujun supportingsecureprogramminginwebapplicationsthroughinteractivestaticanalysis AT xiejing supportingsecureprogramminginwebapplicationsthroughinteractivestaticanalysis AT lipfordheatherrichter supportingsecureprogramminginwebapplicationsthroughinteractivestaticanalysis AT chubill supportingsecureprogramminginwebapplicationsthroughinteractivestaticanalysis |