Combinatorial Method with Static Analysis for Source Code Security in Web Applications

SQL injection vulnerabilities have been predominant on database-driven web applications since almost one decade. Exploiting such vulnerabilities enables attackers to gain unauthorized access to the back-end databases by altering the original SQL statements through manipulating user input. Testing web applications for identifying SQL injection vulnerabilities before deployment is essential to get rid of them. However, checking such vulnerabilities by hand is very tedious, difficult, and time-consuming. Web vulnerability static analysis tools are software tools for automatically identifying the root cause of SQL injection vulnerabilities in web applications source code. In this paper, we test and evaluate three free/open source static analysis tools using eight web applications with numerous known vulnerabilities, primarily for false negative rates. The evaluation results were compared and analysed, and they indicate a need to improve the tools.

Download Full-text

Static analysis of source code security: Assessment of tools against SAMATE tests

Information and Software Technology ◽

10.1016/j.infsof.2013.02.005 ◽

2013 ◽

Vol 55 (8) ◽

pp. 1462-1476 ◽

Cited By ~ 21

Author(s):

Gabriel Díaz ◽

Juan Ramón Bermejo

Keyword(s):

Static Analysis ◽

Source Code ◽

Security Assessment ◽

Code Security

Download Full-text

Is Static Analysis Able to Identify Unnecessary Source Code?

ACM Transactions on Software Engineering and Methodology ◽

10.1145/3368267 ◽

2020 ◽

Vol 29 (1) ◽

pp. 1-23

Author(s):

Roman Haas ◽

Rainer Niedermayr ◽

Tobias Roehm ◽

Sven Apel

Keyword(s):

Static Analysis ◽

Source Code

Download Full-text

A Neural Embedding for Source Code: Security Analysis and CWE Lists

2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech) ◽

10.1109/dasc-picom-cbdcom-cyberscitech49142.2020.00095 ◽

2020 ◽

Author(s):

Martina Saletta ◽

Claudio Ferretti

Keyword(s):

Source Code ◽

Security Analysis ◽

Code Security

Download Full-text

Source code security

ACM SIGUCCS Newsletter ◽

10.1145/382266.382431 ◽

1987 ◽

Vol 17 (4) ◽

pp. 26-28

Author(s):

Jon Corelis

Keyword(s):

Source Code ◽

Code Security

Download Full-text

Means of integrating static source security analysis technology into the software development environment

Modern information security ◽

10.31673/2409-7292.2020.035499 ◽

2020 ◽

Author(s):

N. V. Goryuk ◽

Keyword(s):

Software Development ◽

Static Analysis ◽

Software Security ◽

Source Code ◽

Security Analysis ◽

Development Environment ◽

Static Source ◽

Software Development Environment ◽

Further Development ◽

Code Development

The article investigates automation methods and means of integration of static source security analysis technology. The process of software security analysis, which is implemented by the technology of static analysis of the source code, is studied, and the methods of solving the problem of automation and integration of the technology into the source code development environment are offered. The perspective direction of further development of the technology of static analysis of the source code is established.

Download Full-text