Predicting common web application vulnerabilities from input validation and sanitization code patterns

Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate the threats posed by common web application vulnerabilities, many vulnerability detection approaches have been proposed. However, finding al...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:27th IEEE/ACM International Conference on Automated Software Engineering (ASE) : proceedings, September 3-7, 2012, Essen, Germany s. 310 - 313
Hlavní autori: Shar, Lwin Khin, Tan, Hee Beng Kuan
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: New York, NY, USA ACM 03.09.2012
Edícia:ACM Conferences
Predmet:
Codes
Complexity theory
Data collection
Data mining
Defect prediction
empirical study
General and reference > Cross-computing tools and techniques > Metrics
General and reference > Cross-computing tools and techniques > Verification
input validation and sanitization
Predictive models
Security
Software
Software and its engineering > Software creation and management > Software development process management
Software and its engineering > Software creation and management > Software verification and validation > Formal software verification
Software and its engineering > Software organization and properties > Software functional properties > Formal methods > Software verification
Software engineering
static code attributes
Theory of computation > Semantics and reasoning > Program reasoning > Program verification
Time measurement
Vectors
web application vulnerabilities
static code attributes
empirical study
input validation and sanitization
web application vulnerabilities
Defect prediction
ISBN:1450312047, 9781450312042
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate the threats posed by common web application vulnerabilities, many vulnerability detection approaches have been proposed. However, finding alternative solutions to address these risks remains an important research problem. As web applications generally adopt input validation and sanitization routines to prevent web security risks, in this paper, we propose a set of static code attributes that represent the characteristics of these routines for predicting the two most common web application vulnerabilities—SQL injection and cross site scripting. In our experiments, vulnerability predictors built from the proposed attributes detected more than 80% of the vulnerabilities in the test subjects at low false alarm rates.
ISBN:1450312047
9781450312042
DOI:10.1145/2351676.2351733