Using Interactive Static Analysis for Early Detection of Software Vulnerabilities

Presented at AppSec USA 2012, Oct. 26, 2012, 3 p.m. (45 minutes).

We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles: • Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming; • Secure programming support should be provided while the code is being developed, integrated into the development tools; • Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and • Developers should be able to provide feedback about the application context that can drive customized security analysis. We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code.

Presenters:

• Bill Chu - Professor - University of North Carolina at Charlotte
  I received my Ph.D. in Computer Science from University of Maryland at College Park. My current research is focused on building interactive tools to support developers writing more secure code. Part of this effort is the OWASP ASIDE project(https://www.owasp.org/index.php/OWASP_ASIDE_Project). Outside work I enjoy readings in philosophy and history.

Links:

• Con Page

Similar Presentations:

• ToorCon San Diego TwentyOne (2019) / Static code analysis should work for developers, not for you
• AppSec USA 2016 / Practical Static Analysis for Continuous Application Security
• REcon 2006 / Secure Development with Static Analysis