Mining the Categorized Software Repositories to Improve the Analysis of Security Vulnerabilities

Sadeghi, Alireza; Esfahani, Naeem; Malek, Sam

doi:10.1007/978-3-642-54804-8_11

Cited by 17 publications

(6 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Existing research efforts related to Android app security have focused on developing tools and techniques to help detect vulnerabilities in an app's implementation [18,8]. Despite such efforts, apps with known vulnerabilities find their way to app stores [15,4]. This is possibly because existing tools are neither accurate [14] nor scalable [12] in terms of detecting known vulnerabilities.…”

Section: Why a New Methodology?mentioning

confidence: 99%

SeMA: A Design Methodology for Building Secure Android Apps

Mitra

Ranganath

2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW)

View full text Add to dashboard Cite

UX (user experience) designers visually capture the UX of an app via storyboards. This method is also used in Android app development to conceptualize and design apps.Recently, security has become an integral part of Android app UX because mobile apps are used to perform critical activities such as banking, communication, and health. Therefore, securing user information is imperative in mobile apps.In this context, storyboarding tools offer limited capabilities to capture and reason about the security requirements of an app. Consequently, security cannot be baked into the app at design time. Hence, vulnerabilities stemming from design flaws can often occur in apps. To address this concern, in this paper, we propose a storyboard based design methodology to enable the specification and verification of security properties of an Android app at design time.

show abstract

Section: Why a New Methodology?mentioning

confidence: 99%

SeMA: A Design Methodology for Building Secure Android Apps

Mitra

Ranganath

2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW)

View full text Add to dashboard Cite

show abstract

“…Since many of the security issues encountered in modern software are due to the wrong usage of ADF [21], we are able to develop highly effective predictors as to the types of security vulnerabilities one may find in different categories of apps. In our prior research [17], we have shown the existence of strong correlations between the types of vulnerabilities and categories of apps. This paper shows how such correlations can be used to improve the efficiency of static, dynamic, and manual analysis techniques for security assessment of software.…”

mentioning

confidence: 88%

“…Some examples of app markets with categories are F-Droid for open source and Google Play for Android applications. Other than facilitating the users in searching and browsing, categories of apps have shown to be good predictors of the common features found within software of a particular category [12,17].…”

mentioning

confidence: 99%

Mining mobile app markets for prioritization of security assessment effort

Sadeghi

Esfahani

Malek

2017

Proceedings of the 2nd ACM SIGSOFT International Workshop on App Market Analytics

Self Cite

View full text Add to dashboard Cite

Like any other software engineering activity, assessing the security of a software system entails prioritizing the resources and minimizing the risks. Techniques ranging from the manual inspection to automated static and dynamic analyses are commonly employed to identify security vulnerabilities prior to the release of the software. However, none of these techniques is perfect, as static analysis is prone to producing lots of false positives and negatives, while dynamic analysis and manual inspection are unwieldy, both in terms of required time and cost. This research aims to improve these techniques by mining relevant information from vulnerabilities found in the app markets. The approach relies on the fact that many modern software systems, in particular mobile software, are developed using rich application development frameworks (ADF), allowing us to raise the level of abstraction for detecting vulnerabilities and thereby making it possible to classify the types of vulnerabilities that are encountered in a given category of application. By coupling this type of information with severity of the vulnerabilities, we are able to improve the efficiency of static and dynamic analyses, and target the manual effort on the riskiest vulnerabilities. CCS CONCEPTS • Security and privacy → Mobile platform security; Access control; • Software and its engineering → Software testing and debugging; Automated static analysis;

show abstract

“…The category mentions the following works and their ideas: fuzzy testing using genetic algorithms [ 59 ]; bug report analysis using classification to identify hidden vulnerabilities [ 60 , 61 ]; searching for memory corruption vulnerabilities by source code using genetic algorithms and Fish School Search [ 62 ]; classification and prediction of false positives in SA vulnerabilities in Web application code and automatic fixing them [ 63 ]; and improving SA efficiency and scalability for software repositories [ 64 ]. Thus, although the research in the fourth category is related to SA, it is rather of an auxiliary nature and will not be discussed further.…”

Section: Analysis Of Existing Review Workmentioning

confidence: 99%

Static Analysis of Information Systems for IoT Cyber Security: A Survey of Machine Learning Approaches

Kotenko

Izrailov

Buinevich

2022

Sensors

View full text Add to dashboard Cite

Ensuring security for modern IoT systems requires the use of complex methods to analyze their software. One of the most in-demand methods that has repeatedly been proven to be effective is static analysis. However, the progressive complication of the connections in IoT systems, the increase in their scale, and the heterogeneity of elements requires the automation and intellectualization of manual experts’ work. A hypothesis to this end is posed that assumes the applicability of machine-learning solutions for IoT system static analysis. A scheme of this research, which is aimed at confirming the hypothesis and reflecting the ontology of the study, is given. The main contributions to the work are as follows: systematization of static analysis stages for IoT systems and decisions of machine-learning problems in the form of formalized models; review of the entire subject area publications with analysis of the results; confirmation of the machine-learning instrumentaries applicability for each static analysis stage; and the proposal of an intelligent framework concept for the static analysis of IoT systems. The novelty of the results obtained is a consideration of the entire process of static analysis (from the beginning of IoT system research to the final delivery of the results), consideration of each stage from the entirely given set of machine-learning solutions perspective, as well as formalization of the stages and solutions in the form of “Form and Content” data transformations.

show abstract

Mining the Categorized Software Repositories to Improve the Analysis of Security Vulnerabilities

Cited by 17 publications

References 17 publications

SeMA: A Design Methodology for Building Secure Android Apps

SeMA: A Design Methodology for Building Secure Android Apps

Mining mobile app markets for prioritization of security assessment effort

Static Analysis of Information Systems for IoT Cyber Security: A Survey of Machine Learning Approaches

Contact Info

Product

Resources

About