Nytro Posted January 7, 2013 Report Posted January 7, 2013 Using Interactive Static Analysis For Early Detection Of Software Vulnerabilities Description: AbstractWe present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles:• Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming;• Secure programming support should be provided while the code is being developed, integrated into the development tools;• Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and• Developers should be able to provide feedback about the application context that can drive customized security analysis.We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Using Interactive Static Analysis for Early Detection of Software Vulnerabilities - Bill Chu on VimeoSursa: Using Interactive Static Analysis For Early Detection Of Software Vulnerabilities Quote
