A case study in detecting software security vulnerabilities using constraint optimization

Identification and Removal of Software Security Vulnerabilities using Source Code Analysis: A Case Study on a Java File Writer Program with Password Validation Features

Journal of Software ◽

10.4304/jsw.8.10.2412-2424 ◽

2013 ◽

Vol 8 (10) ◽

Author(s):

Natarajan Meghanathan

Keyword(s):

Software Security ◽

Source Code ◽

Security Vulnerabilities ◽

Source Code Analysis ◽

Code Analysis

Download Full-text

On the adoption of static analysis for software security assessment–A case study of an open-source e-government project

Computers & Security ◽

10.1016/j.cose.2021.102470 ◽

2021 ◽

Vol 111 ◽

pp. 102470

Author(s):

Anh Nguyen-Duc ◽

Manh Viet Do ◽

Quan Luong Hong ◽

Kiem Nguyen Khac ◽

Anh Nguyen Quang

Keyword(s):

Open Source ◽

Static Analysis ◽

Software Security ◽

Security Assessment ◽

Government Project

Download Full-text

CONFU

Security-Aware Systems Applications and Software Development Methods ◽

10.4018/978-1-4666-1580-9.ch009 ◽

2012 ◽

pp. 152-167

Author(s):

Huning Dai ◽

Christian Murphy ◽

Gail E. Kaiser

Keyword(s):

Case Studies ◽

Software Security ◽

Performance Evaluations ◽

Testing Technique ◽

Security Vulnerabilities ◽

Testing Framework ◽

Testing Methodology ◽

Fuzz Testing ◽

Runtime Environment ◽

Semantic Validity

Many software security vulnerabilities only reveal themselves under certain conditions, that is, particular configurations and inputs together with a certain runtime environment. One approach to detecting these vulnerabilities is fuzz testing. However, typical fuzz testing makes no guarantees regarding the syntactic and semantic validity of the input, or of how much of the input space will be explored. To address these problems, the authors present a new testing methodology called Configuration Fuzzing. Configuration Fuzzing is a technique whereby the configuration of the running application is mutated at certain execution points to check for vulnerabilities that only arise in certain conditions. As the application runs in the deployment environment, this testing technique continuously fuzzes the configuration and checks “security invariants’’ that, if violated, indicate vulnerability. This paper discusses the approach and introduces a prototype framework called ConFu (CONfiguration FUzzing testing framework) for implementation. Additionally, the results of case studies that demonstrate the approach’s feasibility are presented along with performance evaluations.

Download Full-text

A Case Study on Testing for Software Security

Advanced Automated Software Testing ◽

10.4018/978-1-4666-0089-8.ch005 ◽

2012 ◽

pp. 89-112

Author(s):

Natarajan Meghanathan ◽

Alexander Roy Geoghegan

Keyword(s):

Software Security ◽

Denial Of Service ◽

Source Code ◽

Code Analysis ◽

Software Vulnerabilities ◽

Static Code Analysis ◽

Software Program ◽

Automated Tools ◽

High Level

The high-level contribution of this book chapter is to illustrate how to conduct static code analysis of a software program and mitigate the vulnerabilities associated with the program. The automated tools used to test for software security are the Source Code Analyzer and Audit Workbench, developed by Fortify, Inc. The first two sections of the chapter are comprised of (i) An introduction to Static Code Analysis and its usefulness in testing for Software Security and (ii) An introduction to the Source Code Analyzer and the Audit Workbench tools and how to use them to conduct static code analysis. The authors then present a detailed case study of static code analysis conducted on a File Reader program (developed in Java) using these automated tools. The specific software vulnerabilities that are discovered, analyzed, and mitigated include: (i) Denial of Service, (ii) System Information Leak, (iii) Unreleased Resource (in the context of Streams), and (iv) Path Manipulation. The authors discuss the potential risk in having each of these vulnerabilities in a software program and provide the solutions (and the Java code) to mitigate these vulnerabilities. The proposed solutions for each of these four vulnerabilities are more generic and could be used to correct such vulnerabilities in software developed in any other programming language.

Download Full-text

Survey of Vulnerabilities and Mitigation Techniques for Mooc-Based Applications

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2016100101 ◽

2016 ◽

Vol 7 (4) ◽

pp. 1-18 ◽

Cited By ~ 1

Author(s):

Hossain Shahriar ◽

Hisham M. Haddad ◽

David Lebron ◽

Rubana Lupu

Keyword(s):

Open Source Software ◽

Exploratory Study ◽

Online Courses ◽

Software Security ◽

Low Cost ◽

Massive Open Online Courses ◽

Massive Open Online ◽

Security Vulnerabilities ◽

Cloud Environments ◽

Mitigation Techniques

Massive Open Online Courses (MOOCs) are commonly hosted as web servers for learners worldwide to access education and learning materials at low cost. Many of the well-known MOOCs have adopted open source software and database technologies and frequently operate within cloud environments. It is likely that the well-known software security vulnerabilities may manifest to MOOC-based applications. Unfortunately, few studies have identified a set of common vulnerabilities applicable to MOOC-based applications. This paper1 presents an exploratory study of potential security vulnerabilities and challenges for MOOC platforms, and it provide some guidelines and suggestions to mitigate these concerns. This study helps practitioners (educators and developers) to adopt MOOC applications while considering potential vulnerabilities and be prepared to deal with these risks.

Download Full-text

A Tagging Approach to Extract Security Requirements in Non-Traditional Software Development Processes

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2014100102 ◽

2014 ◽

Vol 5 (4) ◽

pp. 31-47 ◽

Cited By ~ 2

Author(s):

Annette Tetmeyer ◽

Daniel Hein ◽

Hossein Saiedian

Keyword(s):

Software Development ◽

Software Security ◽

Security Requirements ◽

Software Systems ◽

Small Organizations ◽

Pos Tagging ◽

Part Of Speech ◽

Security Requirements Engineering ◽

Development Processes

While software security has become an expectation, stakeholders often have difficulty expressing such expectations. Elaborate (and expensive) frameworks to identify, analyze, validate and incorporate security requirements for large software systems (and organizations) have been proposed, however, small organizations working within short development lifecycles and minimal resources cannot justify such frameworks and often need a light and practical approach to security requirements engineering that can be easily integrated into their existing development processes. This work presents an approach for eliciting, analyzing, prioritizing and developing security requirements which can be integrated into existing software development lifecycles for small organizations. The approach is based on identifying candidate security goals using part of speech (POS) tagging, categorizing security goals based on canonical security definitions, and understanding the stakeholder goals to develop preliminary security requirements and to prioritize them. It uses a case study to validate the feasibility and effectiveness of the proposed approach.

Download Full-text