Verktyg för säker kodning : En jämförande studie / Tools for secure coding : A comparative study

Fransson, Robin, Hiltunen, Tommi

January 2023

Bakgrund I dagens programvara finns det problem som försämrar kvaliteten hos system och ökar kostnaderna. Det är viktigt att tänka på säkerheten redan under programmeringsfasen för att underlätta underhåll. The Open Web Application Security Project (OWASP) erbjuder dokument, verktyg och projekt för att skapa och underhålla produkter på ett säkrare sätt. För att upptäcka säkerhetsproblem i koden kan verktyg för Static Application Security Testing (SAST) användas. SAST-verktyg kan rapportera både false negatives och false positives, därför är det viktigt att undersöka hur precisa verktygen är i sin rapportering. Syfte Studien ämnar kartlägga vilka SAST-verktyg utvecklare kan ta hjälp av för att skriva säkrare kod. Undersökningen skall även jämföra hur bra de är på att hitta sårbarheter i kod och hur stort antal false positives de rapporterar. Metod En sökning gjordes för att samla information om vilka SAST-verktyg som finns tillgängliga och en lista sammanställdes med krav för att kunna genomföra likvärdiga tester. För att utföra testerna användes kod med planterade sårbarheter och resultaten från testerna genererade kvantitativa data som fördes in i en tabell. Resultat I studiens resultat kartlades tolv SAST-verktyg. Från dessa valdes HCL AppScan CodeSweep, Snyk och SonarLint ut för vidare testning. Därefter beräknades recall, precision och false positives för verktygen. Snyk hade 71,43% på både recall och precision och 33,33% false positives. HCL AppScan CodeSweep hade 28,57% på recall, 57,14% på precision och 25% på false positives. SonarLint hittade inga sårbarheter och blev därav inte analyserat. Slutsatser Studien kartlade tolv olika SAST-verktyg och valde tre för likvärdiga tester av JavaScript i Visual Studio Code. Resultaten visade att Snyk presterade bäst gällande rapportering av sårbarheter och hade högre resultat gällande precision, medan HCL AppScan CodeSweep presterade bäst på att undvika false positives. Överlag anses Snyk vara studiens bästa SAST-verktyg då det hade högst resultat på både recall och precision. / Background In today's software, there are issues that degrade system quality and increase costs. It is important to consider security during the programming phase to facilitate maintenance. The Open Web Application Security Project (OWASP) provides documentation, tools, and projects to create and maintain products in a more secure manner. To detect security issues in the code, tools for Static Application Security Testing (SAST) can be used. SAST-tools can report both false negatives and false positives, so it is important to investigate the accuracy of the tools in their reporting. Aim The study aims to map which SAST-tools developers can utilize to write more secure code. The investigation will also compare their effectiveness inidentifying vulnerabilities in code and the numberof false positives they report. Method A search was conducted to gather information on available SAST-tools, and a list was compiled with requirements to perform equivalent tests. To carry out the tests, code with planted vulnerabilities was used, and the test results generated quantitative data that were entered into a table. Results The study's results mapped twelve SAST-tools. From these, HCL AppScan CodeSweep, Snyk, and SonarLint were selected for further testing. Then, the recall, precision, and false positives were calculated for the tools. Snyk achieved 71.43% for both recall and precision and had 33.33% false positives. HCL AppScan CodeSweep achieved 28.57% recall, 57.14% precision, and 25% false positives. SonarLint did not find any vulnerabilities and was therefore not analyzed. Conclusions The study surveyed twelve different SAST-tools and selected three for tests on JavaScript in Visual Studio Code. The results showed that Snyk performed the best in terms of vulnerability reporting and achieved higher precision results, while HCL AppScan CodeSweep excelled in avoiding false positives. Overall, Snyk is considered the best SAST-tool in the study as it had the highest results in both recall and precision.

OWASP

CVSS

SAST

CWE

false positive

false negative

SAST-tools

OWASP

CVSS

SAST

CWE

false positive

false nega- tive

SAST-verktyg

Information Systems

Static Program Analysis

SHRESTHA, JAYESH

January 2013

No description available.

Static Program Analysis

Vulnerabilities

Juliet testcase

Findbugs

Common Weakness Enumeration (CWE)

Information Systems

Computational Evaluation of Wind Loads on Low- and High- Rise Buildings

Dagnew, Agerneh

29 August 2012

Buildings and other infrastructures located in the coastal regions of the US have a higher level of wind vulnerability. Reducing the increasing property losses and causalities associated with severe windstorms has been the central research focus of the wind engineering community. The present wind engineering toolbox consists of building codes and standards, laboratory experiments, and field measurements. The American Society of Civil Engineers (ASCE) 7 standard provides wind loads only for buildings with common shapes. For complex cases it refers to physical modeling. Although this option can be economically viable for large projects, it is not cost-effective for low-rise residential houses. To circumvent these limitations, a numerical approach based on the techniques of Computational Fluid Dynamics (CFD) has been developed. The recent advance in computing technology and significant developments in turbulence modeling is making numerical evaluation of wind effects a more affordable approach. The present study targeted those cases that are not addressed by the standards. These include wind loads on complex roofs for low-rise buildings, aerodynamics of tall buildings, and effects of complex surrounding buildings. Among all the turbulence models investigated, the large eddy simulation (LES) model performed the best in predicting wind loads. The application of a spatially evolving time-dependent wind velocity field with the relevant turbulence structures at the inlet boundaries was found to be essential. All the results were compared and validated with experimental data. The study also revealed CFD’s unique flow visualization and aerodynamic data generation capabilities along with a better understanding of the complex three-dimensional aerodynamics of wind-structure interactions. With the proper modeling that realistically represents the actual turbulent atmospheric boundary layer flow, CFD can offer an economical alternative to the existing wind engineering tools. CFD’s easy accessibility is expected to transform the practice of structural design for wind, resulting in more wind-resilient and sustainable systems by encouraging optimal aerodynamic and sustainable structural/building design. Thus, this method will help ensure public safety and reduce economic losses due to wind perils.

CFD

CWE

LES

Wind loads

High-rise building

Low-rise buildings

Statistical Study and Clustering of the Critical Branches Defining the Market Coupling in the Central West Europe Zone

Morin, Thomas

January 2016

Integration of European electricity market is one of the major challenges since the begin-ning of the 2000s. In 2010, market coupling, which optimizes power trading by allocating cross-border transmission capacity, was launched in Central West Europe (CWE). It was first implemented by using the Available Transmission Capacity (ATC) based capacity transmission. The ATC method was based on computation of Net Transfer Capacity on each border of the CWE zone by Transmission System Operators. On May 21st 2015, ATC method was replaced by the flow-based method. The flow-based method better takes into account the network specificities. It allocates transmission capacity based on branches rather than borders, as it was the case with ATC method.   Traders need to forecast the spot price in order to best choose their trading strategy. They have to forecast weather conditions, consumption, production and network main-tenance. With the implementation of the flow-based method, now they also need to forecast the flow-based domain. Then, clustering on past data will help to fulfill this goal.   This thesis has been carried out in three main steps. First, ATC and flow-based methods have been compared each other in order to better understand what are the advantages with the flow-based method. Then, main achievements and features of the flow-based method have been highlighted based on data collected during the phase test. Finally, a procedure has been developed in order to cluster data which define the flow-based domain. The clustering procedure has been tested on data collected of January 2015. Different clustering methods and observation pre-processing have been compared and recommendations on the best choice have been made.

Flow-based

Interconnections

CWE zone

ATC

Clustering

Elektroteknik och elektronik

Prediction of French day-ahead electricity prices: Comparison between a deterministic and a stochastic approach

André, Léo

January 2015

This thesis deals with the new flow-based computation method used in the Central Western Europe Area. This is done on the financial side. The main aim is to produce some robust methods for predicting. Two approaches are used: the first one is based on a deterministic and algorithmic method involving the study of the interaction between the fundamentals and the prices. The other one is a more statistical approach based on a time series modeling of the French flow-based prices. Both approaches have advantages and disadvantages which will be discussed in the following. The work is mainly based on global simulated data provided by CASC in their implementation phase of the flow-base in Western Europe. / Denna avhandling behandlar den nya flödesbaserade beräkningsmetoden som används i Centrala Västeuropa på ekonomisidan. Målet är att producera tillförlitliga metoder för prognostisering. Två tillvägagångssätt kan användas: den första är baserad på en deterministisk och algoritmisk metod som inbegriper studier av interaktionen mellan fundamenta och priserna. Den andra är en mer statistisk metod som bygger på en tidsseriemodellering av de franska flödesbaserade priserna. Båda tillvägagångssätten har fördelar och nackdelar som kommer som diskuteras i det följande. Arbetet är främst baserade på globala simulerade data från CASC i genomförandefasen av flödesbasen i Västeuropa.

Electricity market

Market coupling

CWE area

Flow Base

modeling

Mathematical Analysis

Matematisk analys

Framework and Tools for IT Security within Logistics and Infrastructure oriented Operations : With a focus on Static Application Security Testing

Seger, Elias, Schedin, Fredrick

January 2022

Static Application Security Testing Tools (SAST) is a security tool that claims to help with security in an IT system. Static Application Security Testing tools are technical solutions that operate within the continuous integration of the system. The tool uses frameworks such as OWASP and CWE to detect common vulnerabilities in the codebase by analysing code in the building and testing phase of continuous integration. The problem with SAST tools is that there are many different beliefs surrounding them. Some say they are crucial for security, while some believe they are less helpful and can even inhibit projects by introducing false positives. This thesis determines if SAST tools are an effective solution to security problems within in an IT system. The focus was on logistics- and infrastructure-oriented operations, which the partner company Triona operates within. We use literature review to look at previously similarly conducted research combined with interviews with experienced people within the fields. This gives qualitative results that coupled with previous research can be generalized. The results show that SAST tools are effective tools if used responsibly. Both the literature and interviews conclude that SAST tools are not enough on their own to satisfy the security requirements but must be combined with responsible use of the tools as well as code reviews and other types of testing. SAST tools are also shown to have some problems, mainly false positives, and false negatives. There are also problems related to the implementation of the tools. These problems are costs that comes with implementation, as well as the time spent on it. Other problems are bad communication with developer teams that led to developers not knowing what to do in case of errors shown by the tool. Interviews conducted provides information that SAST tools are not only tools for security but also helps with manageability of code bases.

SAST

Continuous integration

SonarQube

OWASP

CWE

Security tools

Information Systems

A Method for Recommending Computer-Security Training for Software Developers

Nadeem, Muhammad

12 August 2016

Vulnerable code may cause security breaches in software systems resulting in financial and reputation losses for the organizations in addition to loss of their customers’ confidential data. Delivering proper software security training to software developers is key to prevent such breaches. Conventional training methods do not take the code written by the developers over time into account, which makes these training sessions less effective. We propose a method for recommending computer–security training to help identify focused and narrow areas in which developers need training. The proposed method leverages the power of static analysis techniques, by using the flagged vulnerabilities in the source code as basis, to suggest the most appropriate training topics to different software developers. Moreover, it utilizes public vulnerability repositories as its knowledgebase to suggest community accepted solutions to different security problems. Such mitigation strategies are platform independent, giving further strength to the utility of the system. This research discussed the proposed architecture of the recommender system, case studies to validate the system architecture, tailored algorithms to improve the performance of the system, and human subject evaluation conducted to determine the usefulness of the system. Our evaluation suggests that the proposed system successfully retrieves relevant training articles from the public vulnerability repository. The human subjects found these articles to be suitable for training. The human subjects also found the proposed recommender system as effective as a commercial tool.

FindBugs

Static code analysis

Jaccard index

tf–idf

training

NVD

CWE

software vulnerabilities

software security

Recommender system

Drivers and Barriers to Circular Water Economy Implementation in Ohio

Hull, MacKenzie S.

January 2022

No description available.

Environmental Science

circular water economy

non-potable water

ohio

water reuse

green innovation

circular economy

CWE

semi-structured interviews

qualitative research

DNA微陣列基因多重檢定比較之問題

林雅惠, Ya-hui Lin

Unknown Date

在DNA微陣列基因的實驗中資料包括數千個cDNA 序列，為了要篩選出有差異表現基因，同時針對大量基因個數作假設檢定。若無適當地調整個別檢定問題中的誤差率，則將會膨脹整體的誤差率。在多重假設檢定中為了讓整體誤差率(familywise error rate, FWE)控制在設定水準下，必須調整個別假設檢定之個別型一誤差率CWE的檢定準則，此為多重比較方法(multiple comparison procedures：MCP)。然而當多重比較的個數增加時，控制整體誤差率FWE之傳統的多重比較方法會是過於嚴格的標準，不容易推翻虛無假設，使得檢定的結果太過保守。為了解決此現象，Benjamini and Hochberg(1995) 建議另一種錯誤率：錯誤發現率(false discovery rate：FDR)。錯誤發現率定義為在被拒絕之虛無假設中錯誤拒絕的比例之期望值。而Benjamini and Hochberg(1995)也在文中提出一個得以控制錯誤發現率的多重比較方法，稱為BH方法。本篇論文將詳盡地介紹CWE、FWE和FDR三種誤差率，並提出－修正BH的方法，稱為BH( )。我們將透過電腦模擬驗證出新的修正BH方法之表現比原BH方法有較高的檢定力，且從實例的結果中發現BH( )比原BH方法能檢測出更多的顯著個數。 關鍵字：個別型一誤差率(CWE)；整體誤差率(FWE)；多重比較方法(MCP)； 錯誤發現率(FDR)。 / cDNA microarray technology provides tools to study thousands of genes simultaneously. Since a large number of genes are compared, using a conventional significant test leads to the increase of the type I error rate. To avoid the inflation, the adjustment for multiplicity should be considered and a multiple comparison procedure (MCP) that controls the familywise error rate (FWE) is recommended. However, the conservativeness of a MCP that controls FWE becomes more and more severe as the number of comparisons (genes) increases. Instead of FWE, Benjamini and Hochberg (1995) recommended to control the expected proportion of falsely rejecting hypotheses—the false discovery rate (FDR)—and developed a MCP, which has its FDR under control. In this paper, the error rates CWE, FWE and FDR are fully introduced. A new MCP with FDR controlled is developed and its performance is investigated through intensive simulations. KEY WORDS：Comparison-wise error rate (CWE)；Familywise error rate (FWE)；Multiple comparison procedure (MCP)；False discovery rate (FDR).

個別型一誤差率

整體誤差率

多重比較方法

錯誤發現率

CWE

FWE

MCP

FDR

Simulação numérica de tornados usando o método dos elementos finitos

Aguirre, Miguel Angel

January 2017

O presente trabalho tem como objetivo estudar escoamentos de tornados e sua ação sobre corpos imersos empregando ferramentas numéricas da Engenharia do Vento Computacional (EVC). Os tornados constituem-se atualmente em uma das causas de desastres naturais no Brasil, especialmente nas regiões sul e sudeste do país, como também em alguns países vizinhos. Os efeitos gerados são geralmente localizados e de curta duração, podendo ser devastadores dependendo da escala do tornado. Tais características dificultam a realização de estudos detalhados a partir de eventos reais, o que levou ao desenvolvimento de modelos experimentais e numéricos. A abordagem numérica é utilizada neste trabalho para a simulação de tornados, a qual se baseia nas equações de Navier-Stokes e na equação de conservação de massa, considerando a hipótese de pseudo-compressibilidade e condições isotérmicas. Para escoamentos com turbulência utiliza-se a Simulação Direta de Grandes Escalas com o modelo clássico de Smagorinsky para as escalas inferiores à resolução da malha (Large Eddy Simulation ou LES em inglês). A discretização das equações fundamentais do escoamento se realiza com um esquema explícito de dois passos de Taylor-Galerkin, onde o Método dos Elementos Finitos é empregado na discretização espacial utilizando-se o elemento hexaédrico trilinear isoparamétrico com um ponto de integração e controle de modos espúrios Na presença de corpos imersos que se movem para simular os deslocamentos dos tornados, o escoamento é descrito cinematicamente através de uma formulação Arbitrária Lagrangeana-Euleriana (ALE) que inclui um esquema de movimento de malha. Tornados são reproduzidos através da simulação numérica de dispositivos experimentais e do Modelo de Vórtice Combinado de Rankine (RCVM). Exemplos clássicos da Dinâmica dos Fluidos Computacional são apresentados inicialmente para a verificação das ferramentas numéricas implementadas. Finalmente, problemas envolvendo tornados móveis e estacionários são analisados, incluindo sua ação sobre corpos imersos. Nos modelos baseados em experimentos, a variação da relação de redemoinho determinou os diferentes padrões de escoamento observados no laboratório. Nos exemplos de modelo de vórtice, quando o tornado impactou o corpo imerso gerou picos de forças em todas as direções e, após a passar pelo mesmo, produziu uma alteração significativa na estrutura do vórtice. / Analyses of tornado flows and its action on immersed bodies using numerical tools of Computational Wind Engineering (CWE) are the main aims of the present work. Tornadoes are currently one of the causes of natural disasters in Brazil, occurring more frequently in the southern and southeastern regions of the country, as well as in some neighboring countries. Effects are usually localized, presenting a short time interval, which can be devastating depending on the scale of the tornado. These characteristics difficult to carry out detailed studies based on real events, leading to the development of experimental and numerical models. The numerical approach is used in this work for the simulation of tornadoes, which is based on the Navier-Stokes equations and the mass conservation equation, considering the hypothesis of pseudo-compressibility and isothermal conditions. For turbulent flows, Large Eddy Simulation (LES) is used with the classical Smagorinsky model for sub-grid scales Discretization is performed the explicit two-step Taylor-Galerkin scheme, where the Finite Element Method is used in spatial discretization using isoparametric trilinear hexahedral elements with one-point quadrature and hourglass control. In the presence of immersed bodies that are moving in order to simulate translating tornadoes, the flow is kinematically described through a Lagrangian-Eulerian Arbitrary (ALE) formulation, which includes a mesh motion scheme. Tornadoes are reproduced using numerical simulation of experimental devices and the Rankine Combined Vortex Model (RCVM). Classical examples of Computational Fluid Dynamics are presented initially for the verification of the numerical tools implemented here. Finally, problems involving moving and stationary tornadoes are analyzed, including their actions on immersed bodies. For models based on experiments, the variation of the swirl ratio determined the different flow patterns observed in the laboratory. In the vortex model examples, when the tornado impacted on the immersed body, peaks of forces were generated in all directions and, after passing over it, a significant change in the structure of the vortex was produced.

Dinâmica dos fluidos computacional

Escoamento

Tornados

Simulação numérica

Computational Wind Engineering (CWE)

Finite Element Method (FEM)

Large Eddy Simulation (LES)

Tornadoes

Rankine Combined Vortex Model (RCVM)

Swirl Ratio