Verktyg för säker kodning : En jämförande studie / Tools for secure coding : A comparative study

Fransson, Robin, Hiltunen, Tommi

January 2023

Bakgrund I dagens programvara finns det problem som försämrar kvaliteten hos system och ökar kostnaderna. Det är viktigt att tänka på säkerheten redan under programmeringsfasen för att underlätta underhåll. The Open Web Application Security Project (OWASP) erbjuder dokument, verktyg och projekt för att skapa och underhålla produkter på ett säkrare sätt. För att upptäcka säkerhetsproblem i koden kan verktyg för Static Application Security Testing (SAST) användas. SAST-verktyg kan rapportera både false negatives och false positives, därför är det viktigt att undersöka hur precisa verktygen är i sin rapportering. Syfte Studien ämnar kartlägga vilka SAST-verktyg utvecklare kan ta hjälp av för att skriva säkrare kod. Undersökningen skall även jämföra hur bra de är på att hitta sårbarheter i kod och hur stort antal false positives de rapporterar. Metod En sökning gjordes för att samla information om vilka SAST-verktyg som finns tillgängliga och en lista sammanställdes med krav för att kunna genomföra likvärdiga tester. För att utföra testerna användes kod med planterade sårbarheter och resultaten från testerna genererade kvantitativa data som fördes in i en tabell. Resultat I studiens resultat kartlades tolv SAST-verktyg. Från dessa valdes HCL AppScan CodeSweep, Snyk och SonarLint ut för vidare testning. Därefter beräknades recall, precision och false positives för verktygen. Snyk hade 71,43% på både recall och precision och 33,33% false positives. HCL AppScan CodeSweep hade 28,57% på recall, 57,14% på precision och 25% på false positives. SonarLint hittade inga sårbarheter och blev därav inte analyserat. Slutsatser Studien kartlade tolv olika SAST-verktyg och valde tre för likvärdiga tester av JavaScript i Visual Studio Code. Resultaten visade att Snyk presterade bäst gällande rapportering av sårbarheter och hade högre resultat gällande precision, medan HCL AppScan CodeSweep presterade bäst på att undvika false positives. Överlag anses Snyk vara studiens bästa SAST-verktyg då det hade högst resultat på både recall och precision. / Background In today's software, there are issues that degrade system quality and increase costs. It is important to consider security during the programming phase to facilitate maintenance. The Open Web Application Security Project (OWASP) provides documentation, tools, and projects to create and maintain products in a more secure manner. To detect security issues in the code, tools for Static Application Security Testing (SAST) can be used. SAST-tools can report both false negatives and false positives, so it is important to investigate the accuracy of the tools in their reporting. Aim The study aims to map which SAST-tools developers can utilize to write more secure code. The investigation will also compare their effectiveness inidentifying vulnerabilities in code and the numberof false positives they report. Method A search was conducted to gather information on available SAST-tools, and a list was compiled with requirements to perform equivalent tests. To carry out the tests, code with planted vulnerabilities was used, and the test results generated quantitative data that were entered into a table. Results The study's results mapped twelve SAST-tools. From these, HCL AppScan CodeSweep, Snyk, and SonarLint were selected for further testing. Then, the recall, precision, and false positives were calculated for the tools. Snyk achieved 71.43% for both recall and precision and had 33.33% false positives. HCL AppScan CodeSweep achieved 28.57% recall, 57.14% precision, and 25% false positives. SonarLint did not find any vulnerabilities and was therefore not analyzed. Conclusions The study surveyed twelve different SAST-tools and selected three for tests on JavaScript in Visual Studio Code. The results showed that Snyk performed the best in terms of vulnerability reporting and achieved higher precision results, while HCL AppScan CodeSweep excelled in avoiding false positives. Overall, Snyk is considered the best SAST-tool in the study as it had the highest results in both recall and precision.

OWASP

CVSS

SAST

CWE

false positive

false negative

SAST-tools

OWASP

CVSS

SAST

CWE

false positive

false nega- tive

SAST-verktyg

Information Systems

Secure Application Development / Static Application Security Testing (SAST)

Alwan, Alaa

January 2022

Security testing is a widely applied measure to evaluate and improve software security by identifying vulnerabilities and ensuring security requirements related to properties like confidentiality, integrity, and availability. A confidentiality policy guarantees that attackers will not be able to expose secret information. In the context of software programs, the output that attackers observe will not carry any information about the confidential input information. Integrity is the dual of confidentiality, i.e., unauthorized and untrusted data provided to the system will not affect or modify the system’s data. Availability means that systems must be available at a reasonable time. Information flow control is a mechanism to enforce confidentiality and integrity. An accurate security assessment is critical in an age when the open nature of modern software-based systems makes them vulnerable to exploitation. Security testing that verifies and validates software systems is prone to false positives, false negatives, and other such errors, requiring more resilient tools to provide an efficient way to evaluate the threats and vulnerabilities of a given system. Therefore, the newly developed tool Reax controls information flow in Java programs by synthesizing conditions under which a method or an application is secure. Reax is a command-line application, and it is hard to be used by developers. This project has its primary goal to integrate Reax by introducing a plugin for Java IDEs to perform an advanced analysis of security flaws. Specifically, by design, a graphical plugin performs advanced security analysis that detects and reacts directly to security flaws within the graphical widget toolkit environment (SWT). The project proposed a new algorithm to find the root cause of security violations through a graphical interface as a second important goal. As a result, developers will be able to detect security violations and fix their code during the implementation phase, reducing costs.

secure development

application security

static application security testing

SAST

Computer Systems

Datorsystem

Framework and Tools for IT Security within Logistics and Infrastructure oriented Operations : With a focus on Static Application Security Testing

Seger, Elias, Schedin, Fredrick

January 2022

Static Application Security Testing Tools (SAST) is a security tool that claims to help with security in an IT system. Static Application Security Testing tools are technical solutions that operate within the continuous integration of the system. The tool uses frameworks such as OWASP and CWE to detect common vulnerabilities in the codebase by analysing code in the building and testing phase of continuous integration. The problem with SAST tools is that there are many different beliefs surrounding them. Some say they are crucial for security, while some believe they are less helpful and can even inhibit projects by introducing false positives. This thesis determines if SAST tools are an effective solution to security problems within in an IT system. The focus was on logistics- and infrastructure-oriented operations, which the partner company Triona operates within. We use literature review to look at previously similarly conducted research combined with interviews with experienced people within the fields. This gives qualitative results that coupled with previous research can be generalized. The results show that SAST tools are effective tools if used responsibly. Both the literature and interviews conclude that SAST tools are not enough on their own to satisfy the security requirements but must be combined with responsible use of the tools as well as code reviews and other types of testing. SAST tools are also shown to have some problems, mainly false positives, and false negatives. There are also problems related to the implementation of the tools. These problems are costs that comes with implementation, as well as the time spent on it. Other problems are bad communication with developer teams that led to developers not knowing what to do in case of errors shown by the tool. Interviews conducted provides information that SAST tools are not only tools for security but also helps with manageability of code bases.

SAST

Continuous integration

SonarQube

OWASP

CWE

Security tools

Information Systems

Feature Set Selection for Improved Classification of Static Analysis Alerts

Goeschel, Kathleen

01 January 2019

With the extreme growth in third party cloud applications, increased exposure of applications to the internet, and the impact of successful breaches, improving the security of software being produced is imperative. Static analysis tools can alert to quality and security vulnerabilities of an application; however, they present developers and analysts with a high rate of false positives and unactionable alerts. This problem may lead to the loss of confidence in the scanning tools, possibly resulting in the tools not being used. The discontinued use of these tools may increase the likelihood of insecure software being released into production. Insecure software can be successfully attacked resulting in the compromise of one or several information security principles such as confidentiality, availability, and integrity. Feature selection methods have the potential to improve the classification of static analysis alerts and thereby reduce the false positive rates. Thus, the goal of this research effort was to improve the classification of static analysis alerts by proposing and testing a novel method leveraging feature selection. The proposed model was developed and subsequently tested on three open source PHP applications spanning several years. The results were compared to a classification model utilizing all features to gauge the classification improvement of the feature selection model. The model presented did result in the improved classification accuracy and reduction of the false positive rate on a reduced feature set. This work contributes a real-world static analysis dataset based upon three open source PHP applications. It also enhanced an existing data set generation framework to include additional predictive software features. However, the main contribution is a feature selection methodology that may be used to discover optimal feature sets that increase the classification accuracy of static analysis alerts.

feature selection

information security

SAST

software security

software testing

static analysis

Artificial Intelligence and Robotics

Computer Sciences

Databases and Information Systems

Physical Sciences and Mathematics

Response of concrete pavements under moving vehicular loads and environmental effects

Darestani, Mostafa Yousefi

January 2007

The need for modern transportation systems together with the high demand for sustainable pavements under applied loads have led to a great deal of research on concrete pavements worldwide. Development of finite element techniques enabled researchers to analyse the concrete pavement under a combination of axle group loadings and environmental effects. Consequently, mechanistic approaches for designing of concrete pavements were developed based on results of finite element analyses. However, unpredictable failure modes of concrete pavements associated with expensive maintenance and rehabilitation costs have led to the use of empiricalmechanistic approach in concrete pavement design. Despite progressive knowledge of concrete pavement behaviour under applied loads, concrete pavements still suffer from deterioration due to crack initiation and propagation, indicating the need for further research. Cracks can be related to fatigue of the concrete and/or erosion of materials in sub-layers. Although longitudinal, midedge and corner cracks are the most common damage modes in concrete pavements, Austroads method for concrete pavement design was developed based on traditional mid-edge bottom-up transverse cracking introduced by Packard and Tayabji (1985). Research presented in this thesis aims to address the most common fatigue related distresses in concrete pavements. It uses comprehensive finite element models and analyses to determine the structural behaviour of concrete pavements under vehicular loads and environmental effects. Results of this research are supported by laboratory tests and an experimental field test. Results of this research indicate that the induced tensile stresses within the concrete pavement are significantly affected by vehicle speed, differential temperature gradient and loss of moisture content. Subsequently, the interaction between the above mentioned factors and concrete damage modes are discussed. Typical dynamic amplifications of different axle groups are presented. A new fatigue test setup is also developed to take into consideration effects of pavement curvature on fatigue life of the concrete. Ultimately, results of the research presented in this thesis are employed to develop a new guide for designing concrete pavements with zero maintenance of fatigue damage.

dynamic analysis

dynamic amplification

finite element analysis

finite element model

static analysis

axle group loads

critical axle group configuration

critical position of axle groups

tyre pavement interaction

stress distribution

fatigue failure

concrete pavement distresses

corner cracking

longitudinal cracking

transverse cracking

top-down cracking

bottom-up cracking

boundary conditions

debonding layer

temperature effects

loss of moisture contents

shrinkage effects

curling induced stress

warping stress

pavement curvature

field test

laboratory text

experimental study

truck load

JPCP

JRCP

CRCP

SAST

SADT

TAST

TADT

TRDT

QADT