Security in applications is important especially on web applications which handle confidential customer information and financial transactions like banking and e-commerce websites. A simple programming mistake can cause vulnerabilities in application which when exploited can caused irreparable damage to the company and its stakeholders [1].
The most common vulnerabilities in web applications nowadays exploit weak input validation implemented on applications. Attackers can enter specially crafted inputs to the application, making it perform actions which can caused breach of confidential information stored in back-end servers, bring down applications causing denial of service to legitimate users, reveal user credentials to attackers, etc. Examples of attacks are SQL injection and Cross-site Scripting, which belongs to the OWASP top 10 web applications security risks [2].
The paper describes a tool which could be used in probing Java applications for security vulnerabilities stemming from not properly validated input from the user, which they called tainted propagation problems. The tool performs a static analysis on the applications’ byte-code. It tries to determine possible sources of vulnerabilities within the application based on a detailed specification crafted using PQL, a program query language. Because their tool uses improved object naming scheme and more precise context-sensitive pointer analysis, it produces more accurate results, with less false-positives.
One of the strengths of the tool is that, it can be used by developers during the actual development cycle, which in a way cut costs of the development, because it minimizes costs coming from activities like code reviews. The authors also suggested that their approach can be used to implement the same static analysis tool for other byte-code based languages like C#.
REFERENCES
[1] V. Benjamin Livshits and Monica S. Lam. Finding Security Vulnerabilities in Java Applications using Static Analysis.
[2] OWASP Top 10 – 2010: The Ten Most Critical Web Applications Security Risks. The Open Web Security Project. At [www.owasp.org]
No comments:
Post a Comment