scholarly journals Detecting security vulnerabilities with static analysis – A case study

2021 ◽  
Keyword(s):  
Open Source ◽  
Static Analysis ◽  
Source Code ◽  
Performance Comparison ◽  
Test Suite ◽  
Study Analysis ◽  
Security Vulnerabilities ◽  
Analysis Tools ◽  
A Performance

Abstract Many security vulnerabilities can be detected by static analysis. This paper is a case study and a performance comparison of four open-source static analysis tools and plugins (PMD, SpotBugs, Find Security Bugs, and SonarQube) on Java source code. Experiments have been conducted on the widely used Juliet Test Suite with respect to six selected weaknesses from the official Top 25 list of Common Weakness Enumeration. In this study, analysis metrics have been calculated for helping Java developers decide which tools can be used when checking their programs for security vulnerabilities. It turned out that particular weaknesses are best detected with particular tools.

Performance Comparison of Web Backend And Database: A Case Study Of Node.JS, Golang and MySQL, MongoDB

2019 ◽  
Vol 13 ◽  
Author(s):  
Faried Effendy ◽  
Taufik ◽  
Bramantyo Adhilaksono
Keyword(s):  
Response Time ◽  
Open Source ◽  
Poisson Distribution ◽  
Mobile Application ◽  
Web Applications ◽  
Performance Comparison ◽  
Memory Usage ◽  
Data Traffic ◽  
Cpu Utilization

: Substantial research has been conducted to compare web servers or to compare databases, but very limited research combines the two. Node.js and Golang (Go) are popular platforms for both web and mobile application back-ends, whereas MySQL and Go are among the best open source databases with different characters. Using MySQL and MongoDB as databases, this study aims to compare the performance of Go and Node.js as web applications back-end regarding response time, CPU utilization, and memory usage. To simulate the actual web server workload, the flow of data traffic on the server follows the Poisson distribution. The result shows that the combination of Go and MySQL is superior in CPU utilization and memory usage, while the Node.js and MySQL combination is superior in response time.

scholarly journals Open Plot Project: an open-source toolkit for 3-D structural data analysis

Solid Earth ◽  
2011 ◽  
Vol 2 (1) ◽  
pp. 53-63 ◽  
Author(s):  
S. Tavani ◽  
P. Arbues ◽  
M. Snidero ◽  
N. Carrera ◽  
J. A. Muñoz
Keyword(s):  
Spatial Distribution ◽  
Data Analysis ◽  
Open Source ◽  
Open Source Software ◽  
Source Code ◽  
Structural Data ◽  
Geological Modelling ◽  
Analysis Tools ◽  
Transect Analysis ◽  
Selection Of

Abstract. In this work we present the Open Plot Project, an open-source software for structural data analysis, including a 3-D environment. The software includes many classical functionalities of structural data analysis tools, like stereoplot, contouring, tensorial regression, scatterplots, histograms and transect analysis. In addition, efficient filtering tools are present allowing the selection of data according to their attributes, including spatial distribution and orientation. This first alpha release represents a stand-alone toolkit for structural data analysis. The presence of a 3-D environment with digitalising tools allows the integration of structural data with information extracted from georeferenced images to produce structurally validated dip domains. This, coupled with many import/export facilities, allows easy incorporation of structural analyses in workflows for 3-D geological modelling. Accordingly, Open Plot Project also candidates as a structural add-on for 3-D geological modelling software. The software (for both Windows and Linux O.S.), the User Manual, a set of example movies (complementary to the User Manual), and the source code are provided as Supplement. We intend the publication of the source code to set the foundation for free, public software that, hopefully, the structural geologists' community will use, modify, and implement. The creation of additional public controls/tools is strongly encouraged.

An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios

Computing ◽  
2018 ◽  
Vol 101 (2) ◽  
pp. 161-185 ◽  
Author(s):  
Paulo Nunes ◽  
Ibéria Medeiros ◽  
José Fonseca ◽  
Nuno Neves ◽  
Miguel Correia ◽  
...  
Keyword(s):  
Empirical Study ◽  
Static Analysis ◽  
Web Security ◽  
Security Vulnerabilities ◽  
Development Scenarios ◽  
Analysis Tools

scholarly journals On the adoption of static analysis for software security assessment–A case study of an open-source e-government project

2021 ◽  
Vol 111 ◽  
pp. 102470
Author(s):  
Anh Nguyen-Duc ◽  
Manh Viet Do ◽  
Quan Luong Hong ◽  
Kiem Nguyen Khac ◽  
Anh Nguyen Quang
Keyword(s):  
Open Source ◽  
Static Analysis ◽  
Software Security ◽  
Security Assessment ◽  
Government Project

scholarly journals Evaluation of SQL Injection Vulnerability Detection Tools

2019 ◽  
Vol 9 (1) ◽  
pp. 1747-1751
Keyword(s):  
Static Analysis ◽  
Web Applications ◽  
Source Code ◽  
False Negative ◽  
Vulnerability Detection ◽  
Sql Injection ◽  
User Input ◽  
Root Cause ◽  
Analysis Tools ◽  
Free Open Source

SQL injection vulnerabilities have been predominant on database-driven web applications since almost one decade. Exploiting such vulnerabilities enables attackers to gain unauthorized access to the back-end databases by altering the original SQL statements through manipulating user input. Testing web applications for identifying SQL injection vulnerabilities before deployment is essential to get rid of them. However, checking such vulnerabilities by hand is very tedious, difficult, and time-consuming. Web vulnerability static analysis tools are software tools for automatically identifying the root cause of SQL injection vulnerabilities in web applications source code. In this paper, we test and evaluate three free/open source static analysis tools using eight web applications with numerous known vulnerabilities, primarily for false negative rates. The evaluation results were compared and analysed, and they indicate a need to improve the tools.

Combining Static Code Analysis and Machine Learning for Automatic Detection of Security Vulnerabilities in Mobile Apps

2018 ◽  
pp. 1121-1147
Author(s):  
Marco Pistoia ◽  
Omer Tripp ◽  
David Lubensky
Keyword(s):  
Machine Learning ◽  
Static Analysis ◽  
Private Information ◽  
Program Analysis ◽  
Mobile Applications ◽  
Mobile Apps ◽  
Security Vulnerabilities ◽  
Code Analysis ◽  
Analysis Tools ◽  
Static Code Analysis

Mobile devices have revolutionized many aspects of our lives. Without realizing it, we often run on them programs that access and transmit private information over the network. Integrity concerns arise when mobile applications use untrusted data as input to security-sensitive computations. Program-analysis tools for integrity and confidentiality enforcement have become a necessity. Static-analysis tools are particularly attractive because they do not require installing and executing the program, and have the potential of never missing any vulnerability. Nevertheless, such tools often have high false-positive rates. In order to reduce the number of false positives, static analysis has to be very precise, but this is in conflict with the analysis' performance and scalability, requiring a more refined model of the application. This chapter proposes Phoenix, a novel solution that combines static analysis with machine learning to identify programs exhibiting suspicious operations. This approach has been widely applied to mobile applications obtaining impressive results.

Combining Static Code Analysis and Machine Learning for Automatic Detection of Security Vulnerabilities in Mobile Apps

2017 ◽  
pp. 68-94
Author(s):  
Marco Pistoia ◽  
Omer Tripp ◽  
David Lubensky
Keyword(s):  
Machine Learning ◽  
Static Analysis ◽  
Private Information ◽  
Program Analysis ◽  
Mobile Applications ◽  
Mobile Apps ◽  
Security Vulnerabilities ◽  
Code Analysis ◽  
Analysis Tools ◽  
Static Code Analysis

Mobile devices have revolutionized many aspects of our lives. Without realizing it, we often run on them programs that access and transmit private information over the network. Integrity concerns arise when mobile applications use untrusted data as input to security-sensitive computations. Program-analysis tools for integrity and confidentiality enforcement have become a necessity. Static-analysis tools are particularly attractive because they do not require installing and executing the program, and have the potential of never missing any vulnerability. Nevertheless, such tools often have high false-positive rates. In order to reduce the number of false positives, static analysis has to be very precise, but this is in conflict with the analysis' performance and scalability, requiring a more refined model of the application. This chapter proposes Phoenix, a novel solution that combines static analysis with machine learning to identify programs exhibiting suspicious operations. This approach has been widely applied to mobile applications obtaining impressive results.

An evaluation of free/open source static analysis tools applied to embedded software

2010 ◽  
Author(s):  
Lucas Torri ◽  
Guilherme Fachini ◽  
Leonardo Steinfeld ◽  
Vesmar Camara ◽  
Luigi Carro ◽  
...  
Keyword(s):  
Open Source ◽  
Static Analysis ◽  
Embedded Software ◽  
Analysis Tools ◽  
Free Open Source
Sign in / Sign up

Export Citation Format

Share Document