Securing Java code

Ware, Michael S.; Fox, Christopher J.

doi:10.1145/1394504.1394506

Cited by 19 publications

(1 citation statement)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Based on the literature presented in this study, we have the following observations: (i) the field has witnessed significant research work relating to bug detection using ASAT, (ii) most of these studies are focused on evaluating the effectiveness of the tools using the standard evaluation metrics such as the number of warning 17 false positives, 36 coverage, 37 (iii) to the best of our knowledge, the evaluations are usually performed based on C/C++ source code, (iv) also, some of the tools are based on the extension of the existing tools, (v) again, there are a limited number of studies in relation to the analysis of Java source code. For instance, we noticed from our review that there are only about three studies, namely, the work presented by Ware and Fox, 38 Flanagan et al, 39 and Livshits 40 that empirically verified the effectiveness of the static application security testing tools based on Java source code files. Ware and Fox conducted a comprehensive report on the effectiveness of eight static analysis tools in relation to detecting security‐related flaws and defects in Java code.…”

Section: Related Workmentioning

confidence: 95%

Bug detection in Java code: An extensive evaluation of static analysis tools using Juliet Test Suites

et al. 2022

View full text Add to dashboard Cite

Previous studies have demonstrated the usefulness of employing automated static analysis tools (ASAT) and techniques to detect security bugs in software systems. However, these studies are usually focused on analyzing the effectiveness of the tools using open-source tools based on C/C++ source code.The choice for making an appropriate decision on the most suitable tool for bug detection in Java code software remains a relatively unexplored domain.To address this deficiency, this study empirically evaluates eight widely used ASATs, namely, Findbug, PMD, YASCA, LAPSE+, JLint, Bandera, ESC/Java, and Java Pathfinder using the Juliet Test Suite (Test Suite v1.2). Additionally, we assessed the performance of the detection capabilities for the aforementioned bug detection tools using robust performance measures such as precision, recall, Youden index, and the OWASP web benchmark evaluation (WBE). The experimental results show that the tools obtain precision values ranging from 83% to 90.7% based on the studied datasets. Specifically, the Java Pathfinder achieves the best precision score of 90.7%, followed by YASCA and Bandera with a precision score of 88.7% and 83%, respectively. Similarly, Bandera, ESC/Java, and Java Pathfinder obtain a Youden index of 0.8, which indicates the effectiveness of the tools in detecting security bugs in Java source code.

show abstract

Section: Related Workmentioning

confidence: 95%

Bug detection in Java code: An extensive evaluation of static analysis tools using Juliet Test Suites

et al. 2022

View full text Add to dashboard Cite

show abstract

RUGRAT: Evaluating program analysis and testing tools and compilers with large generated random benchmark applications

Hussain

Csallner

Grechanik

et al. 2014

Softw. Pract. Exper.

View full text Add to dashboard Cite

Summary Benchmarks are heavily used in different areas of computer science to evaluate algorithms and tools. In program analysis and testing, open‐source and commercial programs are routinely used as benchmarks to evaluate different aspects of algorithms and tools. Unfortunately, many of these programs are written by programmers who introduce different biases, not to mention that it is very difficult to find programs that can serve as benchmarks with high reproducibility of results. We propose a novel approach for generating random benchmarks for evaluating program analysis and testing tools and compilers. Our approach uses stochastic parse trees, where language grammar production rules are assigned probabilities that specify the frequencies with which instantiations of these rules will appear in the generated programs. We implemented our tool for Java and applied it to generate a set of large benchmark programs of up to 5M lines of code each with which we evaluated different program analysis and testing tools and compilers. The generated benchmarks let us independently rediscover several issues in the evaluated tools. Copyright © 2014 John Wiley & Sons, Ltd.

show abstract

Mining the Categorized Software Repositories to Improve the Analysis of Security Vulnerabilities

Sadeghi

Esfahani

Malek

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Security has become the Achilles' heel of most modern software systems. Techniques ranging from the manual inspection to automated static and dynamic analyses are commonly employed to identify security vulnerabilities prior to the release of the software. However, these techniques are time consuming and cannot keep up with the complexity of ever-growing software repositories (e.g., Google Play and Apple App Store). In this paper, we aim to improve the status quo and increase the efficiency of static analysis by mining relevant information from vulnerabilities found in the categorized software repositories. The approach relies on the fact that many modern software systems are developed using rich application development frameworks (ADF), allowing us to raise the level of abstraction for detecting vulnerabilities and thereby making it possible to classify the types of vulnerabilities that are encountered in a given category of application. We used open-source software repositories comprising more than 7 million lines of code to demonstrate how our approach can improve the efficiency of static analysis, and in turn, vulnerability detection.

show abstract

Securing Java code

Cited by 19 publications

References 12 publications

Bug detection in Java code: An extensive evaluation of static analysis tools using Juliet Test Suites

Bug detection in Java code: An extensive evaluation of static analysis tools using Juliet Test Suites

RUGRAT: Evaluating program analysis and testing tools and compilers with large generated random benchmark applications

Mining the Categorized Software Repositories to Improve the Analysis of Security Vulnerabilities

Contact Info

Product

Resources

About