Automated Code Review Tools for Security

McGraw,

doi:10.1109/mc.2008.514

Cited by 36 publications

(28 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…VCCs identified during code review contain vulnerabilities that could be eliminated prior to release, by using careful coding and review techniques. The longer it takes to detect and fix a security vulnerability, the more that vulnerability will cost [30]. Therefore, eliminating vulnerabilities early via careful coding and reviewing should help to reduce the cost of developing secure software.…”

Section: Introductionmentioning

confidence: 99%

Identifying the characteristics of vulnerable code changes: an empirical study

Bosu

Carver

Hafiz

et al. 2014

Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering

View full text Add to dashboard Cite

To focus the efforts of security experts, the goals of this empirical study are to analyze which security vulnerabilities can be discovered by code review, identify characteristics of vulnerable code changes, and identify characteristics of developers likely to introduce vulnerabilities. Using a three-stage manual and automated process, we analyzed 267,046 code review requests from 10 open source projects and identified 413 Vulnerable Code Changes (VCC). Some key results include: (1) code review can identify common types of vulnerabilities;(2) while more experienced contributors authored the majority of the VCCs, the less experienced contributors' changes were 1.8 to 24 times more likely to be vulnerable; (3) the likelihood of a vulnerability increases with the number of lines changed, and (4) modified files are more likely to contain vulnerabilities than new files. Knowing which code changes are more prone to contain vulnerabilities may allow a security expert to concentrate on a smaller subset of submitted code changes. Moreover, we recommend that projects should: (a) create or adapt secure coding guidelines, (b) create a dedicated security review team, (c) ensure detailed comments during review to help knowledge dissemination, and (d) encourage developers to make small, incremental changes rather than large changes.

show abstract

Section: Introductionmentioning

confidence: 99%

Identifying the characteristics of vulnerable code changes: an empirical study

Bosu

Carver

Hafiz

et al. 2014

Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering

View full text Add to dashboard Cite

show abstract

“…As a term, it is mostly used to describe the first phase of the compilation process. However, there is no difference between this phase and the method that we describe here (McGraw, 2008). The two differ only in the manipulation of their outcome.…”

Section: Lexical Analysismentioning

confidence: 92%

“…As a result there are several false positive and negative reports (Chess & West, 2007;Cowan, 2003). Note though, that lexical analysis utilities helped the gathering and depiction of a tentative set of security rules in one place for the first time (McGraw, 2008).…”

Section: Lexical Analysismentioning

confidence: 99%

Fatal injection: a survey of modern code injection attack countermeasures

Mitropoulos

Spinellis

2017

PeerJ Computer Science

View full text Add to dashboard Cite

With a code injection attack (CIA) an attacker can introduce malicious code into a computer program or system that fails to properly encode data that comes from an untrusted source. A CIA can have different forms depending on the execution context of the application and the location of the programming flaw that leads to the attack. Currently, CIAs are considered one of the most damaging classes of application attacks since they can severely affect an organisation's infrastructure and cause financial and reputational damage to it. In this paper we examine and categorize the countermeasures developed to detect the various attack forms. In particular, we identify two distinct categories. The first incorporates static program analysis tools used to eliminate flaws that can lead to such attacks during the development of the system. The second involves the use of dynamic detection safeguards that prevent code injection attacks while the system is in production mode. Our analysis is based on nonfunctional characteristics that are considered critical when creating security mechanisms. Such characteristics involve usability, overhead, implementation dependencies, false positives and false negatives. Our categorization and analysis can help both researchers and practitioners either to develop novel approaches, or use the appropriate mechanisms according to their needs. Subjects Security and Privacy

show abstract

“…There are several tools designed to meet these objectives, i.e., ITS4 [1], RATS [2]. However, most of the tools for code static analysis are intended for applications written in C. But the widespread development of Java EE Applications and the continuous emergence of frameworks for this purpose [3][4] [5], make necessary to count on a tool for analyzing vulnerabilities in applications written in Java.…”

Section: Introductionmentioning

confidence: 99%

LAPSE+ Static Analysis Security Software: Vulnerabilities Detection in Java EE Applications

Pérez

Filipiak

Sierra

2011

Communications in Computer and Information Science

View full text Add to dashboard Cite

This paper presents the study and enhancement of LAPSE, a security software based on the static analysis of code for detecting security vulnerabilities in Java EE Applications. LAPSE was developed by the SUIF Compiler Group of Stanford University as a plugin for Eclipse Java IDE. The latest stable release of the plugin, LAPSE 2.5.6, dates from 2006, and it is obsolete in terms of the number of vulnerabilities detected and its integration with new versions of Eclipse. This paper focuses on introducing LAPSE+, an enhanced version of LAPSE 2.5.6. This new version of the plugin extends the functionality of the previous one, being updated to work with Eclipse Helios, providing a wider catalog of vulnerabilities and improvements for code analysis. In addition, the paper introduces a command-line version of LAPSE+ to make this tool independent of Eclipse Java IDE. This command-line version features the generation of XML reports of the potential vulnerabilities detected in the application.

show abstract

Automated Code Review Tools for Security

Cited by 36 publications

References 1 publication

Identifying the characteristics of vulnerable code changes: an empirical study

Identifying the characteristics of vulnerable code changes: an empirical study

Fatal injection: a survey of modern code injection attack countermeasures

LAPSE+ Static Analysis Security Software: Vulnerabilities Detection in Java EE Applications

Contact Info

Product

Resources

About