Delta-Bench: Differential Benchmark for Static Analysis Security Testing Tools

2017 ◽  
Author(s):  
Ivan Pashchenko ◽  
Stanislav Dashevskyi ◽  
Fabio Massacci
Keyword(s):  
Static Analysis ◽  
Security Testing ◽  
Testing Tools

scholarly journals AndroShield: Automated Android Applications Vulnerability Detection, a Hybrid Static and Dynamic Analysis Approach

Information ◽  
2019 ◽  
Vol 10 (10) ◽  
pp. 326 ◽  
Author(s):  
Amr Amin ◽  
Amgad Eldessouki ◽  
Menna Tullah Magdy ◽  
Nouran Abdeen ◽  
Hanan Hindy ◽  
...  
Keyword(s):  
Dynamic Analysis ◽  
Static Analysis ◽  
Mobile Applications ◽  
Web Application ◽  
Hybrid Approach ◽  
High Rate ◽  
Vulnerability Detection ◽  
Security Testing ◽  
Static And Dynamic Analysis ◽  
Android Applications

The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution.

DETECTING SERVER-SIDE ENDPOINTS IN WEB APPLICATIONS BASED ON STATIC ANALYSIS OF CLIENT-SIDE JavaScript CODE

2021 ◽  
pp. 32-54
Author(s):  
D. A. Sigalov ◽  
◽  
A. A. Khashaev ◽  
D. Yu. Gamayunov ◽  
◽  
...  
Keyword(s):  
Static Analysis ◽  
Web Application ◽  
Web Applications ◽  
Security Analysis ◽  
Endpoint Detection ◽  
Security Testing ◽  
Application Security ◽  
Server Side ◽  
Dynamic Web ◽  
Client Side

The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.

Random GUI Testing of Android Application Using Behavioral Model

2017 ◽  
Vol 27 (09n10) ◽  
pp. 1603-1612 ◽  
Author(s):  
Woramet Muangsiri ◽  
Shingo Takada
Keyword(s):  
Static Analysis ◽  
State Of The Art ◽  
Evaluation Criteria ◽  
Behavioral Model ◽  
Code Coverage ◽  
Gui Testing ◽  
Testing Tools ◽  
Current State ◽  
Android Applications ◽  
Manual Testing

Automated GUI testing based on behavioral model is one of the most efficient testing approaches. By mining user usage, test scenarios can be generated based on statistical models such as Markov chain. However, these works require static analysis before starting the exploration which requires too much prerequisites and time. To address these challenges, we propose a behavioral-based GUI testing approach for mobile applications that achieves faster and higher coverage. The proposed approach does not conduct static analysis. It creates a behavioral model from usage logs by applying a statistical model. The events within the behavioral model are mapped to GUI components in a GUI tree. Finally, it updates the model dynamically to increase the probability of an event that rarely or never occurs when users use the application. The proposed approach was evaluated on four open-source Android applications, and compared with the state-of-the-art tools and manual testing. The main evaluation criteria are code coverage and ability to find errors. The proposed approach performed better than the current state-of-the-art automated testing tools in most aspects.

scholarly journals On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

2020 ◽  
Vol 10 (24) ◽  
pp. 9119
Author(s):  
Francesc Mateo Tudela ◽  
Juan-Ramón Bermejo Higuera ◽  
Javier Bermejo Higuera ◽  
Juan-Antonio Sicilia Montalvo ◽  
Michael I. Argyros
Keyword(s):  
Web Applications ◽  
Security Analysis ◽  
False Positives ◽  
Vulnerability Detection ◽  
Security Testing ◽  
Security Vulnerabilities ◽  
Security Vulnerability ◽  
Interactive Analysis ◽  
Testing Tools ◽  
Analysis Tools

The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination.

Sign in / Sign up

Export Citation Format

Share Document