Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Plaintext-Checkable Encryption with Unlink-CCA Security in the Standard Model Kapitel lesen Erstes Kapitel lesen

2019 | OriginalPaper | Buchkapitel

Designing a Code Vulnerability Meta-scanner

verfasst von : Raounak Benabidallah, Salah Sadou, Brendan Le Trionnaire, Isabelle Borne

Erschienen in: Information Security Practice and Experience

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The concept of “secure by design” is based on preventive software security and aims at avoiding vulnerabilities as soon as possible. However, finding vulnerabilities manually is a time-consuming and error-prone process. Thus, the use of code scanner tools becomes a good practice for developers. Unfortunately, existing code scanner tools produce too many false positives, which complicates the cycle development task.
In this paper, we present an approach to construct a code vulnerability scanner upon existing scanner tools. The aim of such a scanner, called code vulnerability meta-scanner (CVMS), is to be more efficient and reduce the number of false positives. Our experimental results show that none of the scanners strictly subsumes another, and none of them is better than all the others for all the vulnerabilities. So, we propose a method that combines their results with respect to their performances. We experimented our approach using three existing scanner tools (Fortify, Yag Suite and SpotBug). Then, we used the resulted CVMS to annotate a well-known Java application corpus, namely Qualitas Corpus. These experiment results demonstrated that the CVMS performs better than the scanners on which it is constructed.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel CATCHA: When Cats Track Your Movements Online
Nächstes Kapitel Using IFTTT to Express and Enforce UCON Obligations
Fußnoten
1
CWE: CWE is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
 
Literatur
1.
Alves, H., Fonseca, B., Antunes, N.: Software metrics and security vulnerabilities: dataset and exploratory study. In: 2016 12th European Dependable Computing Conference (EDCC), pp. 37–44, September 2016
2.
Antunes, N., Vieira, M.: Comparing the effectiveness of penetration testing and static code analysis on the detection of SQL injection vulnerabilities in web services. In: 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing, pp. 301–306, November 2009
3.
Antunes, N., Vieira, M.: Benchmarking vulnerability detection tools for web services. In: 2010 IEEE International Conference on Web Services, pp. 203–210, July 2010
4.
5.
6.
Austin, A., Williams, L.: One technique is not enough: a comparison of vulnerability discovery techniques. In 2011 International Symposium on Empirical Software Engineering and Measurement (ESEM), pp. 97–106 (2011)
7.
Boland, T., Black, P.E.: Juliet 1.1 C/C++ and Java test suite. Computer 45(10), 88–90 (2012)CrossRef
8.
9.
10.
Fonseca, J., Vieira, M.: Mapping software faults with web security vulnerabilities. In: 2008 IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN), pp. 257–266, June 2008
11.
Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), pp. 365–372, December 2007
12.
Foster, J.S., Almazan, C.B., Rutar, N.: A comparison of bug finding tools for Java. In: 15th International Symposium on Software Reliability Engineering(ISSRE), pp. 245–256 (2004)
13.
Howard, M., David, L.B.: Writing Secure Code for Windows Vista\(^{TM}\), 1st edn. Microsoft Press, Redmond (2007)
14.
Jimenez,, M.: Evaluating vulnerability prediction models. Ph.D. thesis, Université du Luxembourg (2018)
15.
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM 2005, p. 18. USENIX Association, Berkeley (2005)
16.
Meng, N., Wang, Q., Wu, Q., Mei, H.: An approach to merge results of multiple static analysis tools (short paper). In: 2008 The Eighth International Conference on Quality Software, pp. 169–174, August 2008
17.
18.
19.
Morrison, P., Herzig, K., Murphy, B., Williams, L.: Challenges with applying vulnerability prediction models. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015, pp. 4:1–4:9. ACM, New York (2015)
20.
21.
Nunes, P., Medeiros, I., Fonseca, J., Neves, N., Correia, M., Vieira, M.: On combining diverse static analysis tools for web security: an empirical study. In: 2017 13th European Dependable Computing Conference (EDCC), pp. 121–128, September 2017
22.
23.
24.
Tempero, E., et al.: Qualitas corpus: a curated collection of Java code for empirical studies. In: 2010 Asia Pacific Software Engineering Conference (APSEC 2010), pp. 336–345, December 2010
25.
Terra, R., Miranda, L.F., Valente, M.T., Bigonha, R.S.: Qualitas.class corpus: a compiled version of the Qualitas Corpus. Softw. Eng. Notes 38(5), 1–4 (2013)CrossRef
26.
Venter, H.S., Eloff, J.H.P., Li, Y.L.: Standardising vulnerability categories. Comput. Secur. 27(3), 71–83 (2008)CrossRef
27.
Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: 2009 IEEE/IFIP International Conference on Dependable Systems Networks, pp. 566–571, June 2009
28.
Wang, Q., Meng, N., Zhou, Z., Li, J., Mei, H.: Towards SOA-based code defect analysis. In: 2008 IEEE International Symposium on Service-Oriented System Engineering, pp. 269–274, December 2008
29.
Zhang, Y., Wu, Q., Yang, G., Wen, T.: ASVC: an automatic security vulnerability categorization framework based on novel features of vulnerability data. J. Commun. 10(2), 107–116 (2015)CrossRef
Metadaten
Titel
Designing a Code Vulnerability Meta-scanner
verfasst von
Raounak Benabidallah
Salah Sadou
Brendan Le Trionnaire
Isabelle Borne
Copyright-Jahr
2019
Buch
Information Security Practice and Experience

Print ISBN: 978-3-030-34338-5

Electronic ISBN: 978-3-030-34339-2

Copyright-Jahr: 2019

DOI
https://doi.org/10.1007/978-3-030-34339-2_11