On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
Autor(a) principal: | |
---|---|
Data de Publicação: | 2017 |
Outros Autores: | , , , , |
Tipo de documento: | Artigo |
Idioma: | eng |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | http://hdl.handle.net/10314/3952 |
Resumo: | Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper,we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools. |
id |
RCAP_f04450dd91f033b465dd012f256197ae |
---|---|
oai_identifier_str |
oai:bdigital.ipg.pt:10314/3952 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Studystatic analysis; vulnerability detection; XSS; SQLi.Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper,we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools.13th European Pendepende Computing Conference2018-03-26T19:06:38Z2018-03-262017-09-07T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articlehttp://hdl.handle.net/10314/3952http://hdl.handle.net/10314/3952eng978-1-5386-0602-5/17 $31.00 © 2017 IEEENunes, PauloMedeiros, IbériaFonseca, JoséNeves, NunoCorreia, MiguelVieira, Marcoinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-01-14T02:57:42Zoai:bdigital.ipg.pt:10314/3952Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T01:43:07.743833Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study |
title |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study |
spellingShingle |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study Nunes, Paulo static analysis; vulnerability detection; XSS; SQLi. |
title_short |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study |
title_full |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study |
title_fullStr |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study |
title_full_unstemmed |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study |
title_sort |
On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study |
author |
Nunes, Paulo |
author_facet |
Nunes, Paulo Medeiros, Ibéria Fonseca, José Neves, Nuno Correia, Miguel Vieira, Marco |
author_role |
author |
author2 |
Medeiros, Ibéria Fonseca, José Neves, Nuno Correia, Miguel Vieira, Marco |
author2_role |
author author author author author |
dc.contributor.author.fl_str_mv |
Nunes, Paulo Medeiros, Ibéria Fonseca, José Neves, Nuno Correia, Miguel Vieira, Marco |
dc.subject.por.fl_str_mv |
static analysis; vulnerability detection; XSS; SQLi. |
topic |
static analysis; vulnerability detection; XSS; SQLi. |
description |
Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper,we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools. |
publishDate |
2017 |
dc.date.none.fl_str_mv |
2017-09-07T00:00:00Z 2018-03-26T19:06:38Z 2018-03-26 |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/article |
format |
article |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10314/3952 http://hdl.handle.net/10314/3952 |
url |
http://hdl.handle.net/10314/3952 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.relation.none.fl_str_mv |
978-1-5386-0602-5/17 $31.00 © 2017 IEEE |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.publisher.none.fl_str_mv |
13th European Pendepende Computing Conference |
publisher.none.fl_str_mv |
13th European Pendepende Computing Conference |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
|
_version_ |
1799136924225503232 |