On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study

Detalhes bibliográficos
Autor(a) principal: Nunes, Paulo
Data de Publicação: 2017
Outros Autores: Medeiros, Ibéria, Fonseca, José, Neves, Nuno, Correia, Miguel, Vieira, Marco
Tipo de documento: Artigo
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10314/3952
Resumo: Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper,we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools.
id RCAP_f04450dd91f033b465dd012f256197ae
oai_identifier_str oai:bdigital.ipg.pt:10314/3952
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling On Combining Diverse Static Analysis Tools for Web Security: An Empirical Studystatic analysis; vulnerability detection; XSS; SQLi.Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper,we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools.13th European Pendepende Computing Conference2018-03-26T19:06:38Z2018-03-262017-09-07T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articlehttp://hdl.handle.net/10314/3952http://hdl.handle.net/10314/3952eng978-1-5386-0602-5/17 $31.00 © 2017 IEEENunes, PauloMedeiros, IbériaFonseca, JoséNeves, NunoCorreia, MiguelVieira, Marcoinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-01-14T02:57:42Zoai:bdigital.ipg.pt:10314/3952Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T01:43:07.743833Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
title On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
spellingShingle On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
Nunes, Paulo
static analysis; vulnerability detection; XSS; SQLi.
title_short On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
title_full On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
title_fullStr On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
title_full_unstemmed On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
title_sort On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study
author Nunes, Paulo
author_facet Nunes, Paulo
Medeiros, Ibéria
Fonseca, José
Neves, Nuno
Correia, Miguel
Vieira, Marco
author_role author
author2 Medeiros, Ibéria
Fonseca, José
Neves, Nuno
Correia, Miguel
Vieira, Marco
author2_role author
author
author
author
author
dc.contributor.author.fl_str_mv Nunes, Paulo
Medeiros, Ibéria
Fonseca, José
Neves, Nuno
Correia, Miguel
Vieira, Marco
dc.subject.por.fl_str_mv static analysis; vulnerability detection; XSS; SQLi.
topic static analysis; vulnerability detection; XSS; SQLi.
description Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper,we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools.
publishDate 2017
dc.date.none.fl_str_mv 2017-09-07T00:00:00Z
2018-03-26T19:06:38Z
2018-03-26
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/article
format article
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10314/3952
http://hdl.handle.net/10314/3952
url http://hdl.handle.net/10314/3952
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv 978-1-5386-0602-5/17 $31.00 © 2017 IEEE
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.publisher.none.fl_str_mv 13th European Pendepende Computing Conference
publisher.none.fl_str_mv 13th European Pendepende Computing Conference
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799136924225503232

Registros relacionados