poster

High false positive detection of security vulnerabilities: a case study

Authors:

Muhammad Nadeem,

Byron J. Williams,

Edward B. AllenAuthors Info & Claims

ACMSE '12: Proceedings of the 50th annual ACM Southeast Conference

Pages 359 - 360

https://doi.org/10.1145/2184512.2184604

Published: 29 March 2012 Publication History

Get Access

Abstract

Static code analysis is an emerging technique for secure software development that analyzes large software code bases without execution to reveal potential vulnerabilities present in the code. These vulnerabilities include but are not limited to SQL injections, buffer overflows, cross site scripting, improper security settings, and information leakage.

Software developers can spend many man-hours to track and fix the flagged vulnerabilities. Surveys show that a high percentage of discovered vulnerabilities are actually false positives.

This paper presents a case study that found that context information regarding libraries could account for many of the false positives. We suggest future research incorporate context information into static analysis tools for security.

References

[1]

Austin, A. and Williams, L. 2011. One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques, In Proceedings of the 5th International Symposium on Empirical Software Engineering and Measurement (Banff, Canada, September 22-23, 2011). ESEM '11. CPS, Los Alamitos, CA, 97--106. DOI= http://dx.doi.org/10.1109/ESEM.2011.18.

Digital Library

Google Scholar

[2]

Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak S. and Engller, D. 2010. A few billion lines of code later: using static Analysis to find Bugs in the Real World, Communications of the ACM, 53, 2, (Feb. 2010), 66--75. DOI= http://dx.doi.org/10.1145/1646353.1646374

Digital Library

Google Scholar

[3]

Zheng, J., Williams, L., Nagappan, N., Snipes, W., Hudepohl, J. P. and Vouk, M. A. 2006. On the Value of Static Analysis for Fault Detection in Software. IEEE Transactions on Software Engineering, 32, 4 (Apr. 2006), 240--253. DOI= http://dx.doi.org/10.1109/TSE.2006.38

Digital Library

Google Scholar

[4]

Howard, M., LeBlanc, D., and Viega, J. 2005. 19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them, The McGraw-Hill, Emeryville, California, USA.

Digital Library

Google Scholar

[5]

List of static code analysis tools; http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

Google Scholar

[6]

FindBugs TM. Find bugs in Java Programs; http://findbugs.sourceforge.net/

Google Scholar

[7]

The electronic Clinician Health Record; http://www.tolven.org/echr.html

Google Scholar

[8]

Open EMR; http://www.oemr.org/

Google Scholar

Cited By

View all

Li DLiu YHuang J(2024)Assessment of Software Vulnerability Contributing Factors by Model-Agnostic Explainable AIMachine Learning and Knowledge Extraction10.3390/make60200506:2(1087-1113)Online publication date: 16-May-2024
https://doi.org/10.3390/make6020050
Aladics THegedűs PFerenc R(2024)A Comparative Study of Commit Representations for JIT Vulnerability PredictionComputers10.3390/computers1301002213:1(22)Online publication date: 11-Jan-2024
https://doi.org/10.3390/computers13010022
Murali AMathews NAlfadel MNagappan MXu MRoychoudhury APaiva AAbreu RStorey M(2024)FuzzSlice: Pruning False Positives in Static Analysis Warnings through Function-Level FuzzingProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623321(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623321
Show More Cited By

Index Terms

High false positive detection of security vulnerabilities: a case study
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services
PRDC '09: Proceedings of the 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing

Web services are becoming business-critical components that must provide a non-vulnerable interface to the client applications. However, previous research and practice show that many web services are deployed with critical vulnerabilities. SQL Injection ...
A Survey on Denial of Service Attacks and Preclusions
ICIA-16: Proceedings of the International Conference on Informatics and Analytics

Security is concerned with protecting assets. The aspects of security can be applied to any situation- defense, detection and deterrence. Network security plays important role of protecting information, hardware and software on a computer network. ...
A Production Model System for Detecting Vulnerabilities in the Software Source Code
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

This paper is devoted to static analysis of the software code security. We suggest using heuristic static code analysis to detect a full spectrum of vulnerabilities, including backdoors. Production rules are suggested for use to formalize heuristics for ...

Comments

Information & Contributors

Information

Published In

ACMSE '12: Proceedings of the 50th annual ACM Southeast Conference

March 2012

424 pages

ISBN:9781450312035

DOI:10.1145/2184512

Conference Chair:
Randy K. Smith
University of Alabama
,
Program Chair:
Susan V. Vrbsky
University of Alabama

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 March 2012

Check for updates

Author Tags

Qualifiers

Poster

Conference

ACM SE '12

Sponsor:

ACM SE '12: ACM Southeast Regional Conference

March 29 - 31, 2012

Alabama, Tuscaloosa

Acceptance Rates

ACMSE '12 Paper Acceptance Rate 28 of 56 submissions, 50%;

Overall Acceptance Rate 502 of 1,023 submissions, 49%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
372
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)4

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Li DLiu YHuang J(2024)Assessment of Software Vulnerability Contributing Factors by Model-Agnostic Explainable AIMachine Learning and Knowledge Extraction10.3390/make60200506:2(1087-1113)Online publication date: 16-May-2024
https://doi.org/10.3390/make6020050
Aladics THegedűs PFerenc R(2024)A Comparative Study of Commit Representations for JIT Vulnerability PredictionComputers10.3390/computers1301002213:1(22)Online publication date: 11-Jan-2024
https://doi.org/10.3390/computers13010022
Murali AMathews NAlfadel MNagappan MXu MRoychoudhury APaiva AAbreu RStorey M(2024)FuzzSlice: Pruning False Positives in Static Analysis Warnings through Function-Level FuzzingProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623321(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623321
Guo ZTan TLiu SLiu XLai WYang YLi YChen LDong WZhou Y(2023)Mitigating False Positive Static Analysis Warnings: Progress, Challenges, and OpportunitiesIEEE Transactions on Software Engineering10.1109/TSE.2023.332966749:12(5154-5188)Online publication date: 2-Nov-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3329667
Sultana KAnu VChong T(2023)Using software metrics for predicting vulnerable classes in java and python based systemsInformation Security Journal: A Global Perspective10.1080/19393555.2023.224034333:3(251-267)Online publication date: 28-Jul-2023
https://doi.org/10.1080/19393555.2023.2240343
Voggenreiter MSchopp U(2022)Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)10.1109/ICSE-SEIP55303.2022.9794072(309-310)Online publication date: May-2022
https://doi.org/10.1109/ICSE-SEIP55303.2022.9794072
Sultana KAnu VChong T(2021)Using software metrics for predicting vulnerable classes and methods in Java projectsJournal of Software: Evolution and Process10.1002/smr.230333:3Online publication date: 3-Mar-2021
https://dl.acm.org/doi/10.1002/smr.2303
Imtiaz NRahman AFarhana EWilliams LStorey MAdams BHaiduc S(2019)Challenges with responding to static analysis tool alertsProceedings of the 16th International Conference on Mining Software Repositories10.1109/MSR.2019.00049(245-249)Online publication date: 26-May-2019
https://dl.acm.org/doi/10.1109/MSR.2019.00049
Reynolds ZJayanth AKoc UPorter ARaje RHill JShukla RSen SBishop JBreitman K(2017)Identifying and documenting false positive patterns generated by static code analysis toolsProceedings of the 4th International Workshop on Software Engineering Research and Industrial Practice10.1109/SER-IP.2017..20(55-61)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/SER-IP.2017..20
Sampaio LGarcia A(2016)Exploring context-sensitive data flow analysis for early vulnerability detectionJournal of Systems and Software10.1016/j.jss.2015.12.021113:C(337-361)Online publication date: 1-Mar-2016
https://dl.acm.org/doi/10.1016/j.jss.2015.12.021
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services

A Survey on Denial of Service Attacks and Preclusions

A Production Model System for Detecting Vulnerabilities in the Software Source Code

Comments

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services

A Survey on Denial of Service Attacks and Preclusions

A Production Model System for Detecting Vulnerabilities in the Software Source Code

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations