José Fonseca | Universidade de Coimbra (original) (raw)
Papers by José Fonseca
Proceedings - 13th Pacific Rim International Symposium on Dependable Computing, PRDC 2007, 2007
Web applications are typically developed with hard time constraints and are often deployed with s... more Web applications are typically developed with hard time constraints and are often deployed with security vulnerabilities. Automatic web vulnerability scanners can help to locate these vulnerabilities and are popular tools among developers of web applications. Their purpose is to stress the application from the attacker's point of view by issuing a huge amount of interaction within it. Two of the most widely spread and dangerous vulnerabilities in web applications are SQL injection and Cross Site Scripting (XSS), because of the damage they may cause to the victim business. Trusting the results of web vulnerability scanning tools is of utmost importance. Without a clear idea on the coverage and false positive rate of these tools, it is difficult to judge the relevance of the results they provide. Furthermore, it is difficult, if not impossible, to compare key figures of merit of web vulnerability scanners. In this paper we propose a method to evaluate and benchmark automatic web vulnerability scanners using software fault injection techniques. The most common types of software faults are injected in the web application code which is then checked by the scanners. The results are compared by analyzing coverage of vulnerability detection and false positives. Three leading commercial scanning tools are evaluated and the results show that in general the coverage is low and the percentage of false positives is very high.
Nav 2012 17th International Conference on Ships and Shipping Research, Dec 9, 2012
After 9/11 terrorist attacks, critical assets protection has become a priority all over the world... more After 9/11 terrorist attacks, critical assets protection has become a priority all over the world. The focus moved from “safety”, so from the prevention and mitigation of casual and unexpected events, to “security”, so mitigation of deliberate acts. Regarding the protection of particular critical assets as vessels and ports or aircrafts and airports, respectively International Maritime Organisation (IMO) and International Civil Aviation Organization (ICAO) developed two different methodologies for security management, both taking into account that “total security” would be attainable only with an infinite cost. IMO, through the International Ship and Port Facility Security (ISPS) Code, has stated that countermeasures have to be identified and implemented in a scalable way, according to the “security level”. Nevertheless, “security level” is the result of intelligence information, whose trustworthiness is in inverse relation to malicious people’s capability to act by surprise, which undoubtedly increases the success of their actions. Therefore, security risk assessment and consequent countermeasures should set aside intelligence information and base their cost-effectiveness on other considerations. This paper aims at proposing an innovative methodology for security risk management that allows the identification of cost-effective countermeasures, based on the evaluation of the impact of each potential incident, independently from the “security level”. To meet this objective we will benefit of past experiences in airport security, where different strategies are suggested by ICAO.
Proceedings of the 2008 ACM symposium on Applied computing - SAC '08, 2008
This paper proposes a mechanism that allows concurrent detection of malicious data access through... more This paper proposes a mechanism that allows concurrent detection of malicious data access through the online analysis of the Database Management Systems (DBMS) audit trail. The proposed mechanism uses a directed graph representing the profile of valid transactions to detect illegal accesses to data, which are seen as unauthorized sequences of Structured Query Language (SQL) commands. The paper proposes a generic algorithm that learns the graph representing the profile of the transactions executed by the users. This mechanism can be used to protect traditional database applications from data attacks as well as web based applications from SQL injection types of attacks. The proposed mechanism is generic and can be used in most commercial DBMS, adding concurrent detection of malicious data access to classical database security mechanisms. The paper presents a practical example of the implementation of the proposed mechanism using Oracle 10g. The Transaction Processing Performance Council benchmark C (TPC-C) and a real database installation were used to assess the detection mechanism and learning algorithm.
2014 IEEE 33rd International Symposium on Reliable Distributed Systems, 2014
In an attempt to support customization, many web applications allow the integration of third-part... more In an attempt to support customization, many web applications allow the integration of third-party server-side plugins that offer diverse functionality, but also open an additional door for security vulnerabilities. In this paper we study the use of static code analysis tools to detect vulnerabilities in the plugins of the web application. The goal is twofold: 1) to study the effectiveness of static analysis on the detection of web application plugin vulnerabilities, and 2) to understand the potential impact of those plugins in the security of the core web application. We use two static code analyzers to evaluate a large number of plugins for a widely used Content Management System. Results show that many plugins that are currently deployed worldwide have dangerous Cross Site Scripting and SQL Injection vulnerabilities that can be easily exploited, and that even widely used static analysis tools may present disappointing vulnerability coverage and false positive rates.
Web applications are typically developed with hard time constraints and are often deployed with s... more Web applications are typically developed with hard time constraints and are often deployed with software bugs. One important type of bug is the one that creates security vulnerabilities. Knowing what kind of programming mistakes usually lead to security vulnerabilities can be an important tool to help in the detection and prevention of security flaws. In this paper we describe ongoing work on correlating software faults and security vulnerabilities like Cross Site Scripting (XSS) and SQL injection.
IEEE Transactions on Dependable and Secure Computing, 2014
Dr. William C. Carter was a key figure in the formation and development of the field of dependabl... more Dr. William C. Carter was a key figure in the formation and development of the field of dependable computing and fault tolerance. His career spanned over four decades, from programming , debugging, and recovery in ENlAC, through reliability, availability and serviceability during the evolution and definition of IBM mainframes. In particular, he took great interest in the future of the field and was instrumental in promoting the work of young contributors. It was characteristic of Bill to take the initiative in reaching out to students and younger colleagues. Despite the demands of his own career, he knew the value of taking the time to encourage, mentor, and inspire newcomers to the field. The William C. Carter Award has been presented annually since 1997, and was established by the IEEE Technical Committee on Fault-Tolerant Computing (TC-FTC) together with the IFIP Working Group on Dependable Computing and Fault Tolerance (WG lOA). The award is intended to honor and carry on Dr. Ca...
Lecture Notes in Computer Science, 2007
Web based applications often have vulnerabilities that can be exploited to launch SQL-based attac... more Web based applications often have vulnerabilities that can be exploited to launch SQL-based attacks. In fact, web application developers are normally concerned with the application functionalities and can easily neglect security aspects. The increasing number of web attacks reported every day corroborates that this attack-prone scenario represents a real danger and is not likely to change favorably in the future.
Proceedings of the International Conference on Dependable Systems and Networks, 2008
System administrators frequently rely on intrusion detection tools to protect their systems again... more System administrators frequently rely on intrusion detection tools to protect their systems against SQL Injection, one of the most dangerous security threats in database-centric web applications. However, the real effectiveness of those tools is usually unknown, which may lead administrators to put an unjustifiable level of trust in the tools they use. In this paper we present an experimental evaluation of the effectiveness of five SQL Injection detection tools that operate at different system levels: Application, Database and Network. To test the tools in a realistic scenario, Vulnerability and Attack Injection is applied in a setup based on three web applications of different sizes and complexities. Results show that the assessed tools have a very low effectiveness and only perform well under specific circumstances, which highlight the limitations of current intrusion detection tools in detecting SQL Injection attacks. Based on experimental observations we underline the strengths and weaknesses of the tools assessed.
2018 14th European Dependable Computing Conference (EDCC), Sep 1, 2018
The use of Static Analysis Tools (SATs) is mandatory when developing secure software and searchin... more The use of Static Analysis Tools (SATs) is mandatory when developing secure software and searching for vulnerabilities in legacy software. However, the performance of the various SATs concerning the detection of vulnerabilities and false alarm rate is usually unknown and depends on many factors. The simultaneous use of several tools should increase the detection capabilities, but also the number of false alarms. In this paper, we study the problem of combining several SATs to best meet the developer needs. We present results of analyzing the performance of diverse static analysis tools, based on a previously published dataset that resulted from the use of five diverse SATs to find two types of vulnerabilities, namely SQL Injections (SQLi) and Cross-Site Scripting (XSS), in 132 plugins of the WordPress Content Management System (CMS). We present the results based on well-established measures for binary classifiers, namely sensitivity and specificity for all possible diverse combinations that can be constructed using these 5 SAT tools. We then provide empirically supported guidance on which combinations of SAT tools provide the most benefits for detecting vulnerabilities with low false positive rates.
2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2015
There is nowadays an increasing pressure to develop complex Web applications at a fast pace. The ... more There is nowadays an increasing pressure to develop complex Web applications at a fast pace. The vast majority is built using frameworks based on third-party server-side plugins that allow developers to easily add new features. However, as many plugin developers have limited programming skills, there is a spread of security vulnerabilities related to their use. Best practices advise the use of systematic code review for assure security, but free tools do not support OOP, which is how most Web applications are currently developed. To address this problem we propose phpSAFE, a static code analyzer that identifies vulnerabilities in PHP plugins developed using OOP. We evaluate phpSAFE against two well-known tools using 35 plugins for a widely used CMS. Results show that phpSAFE clearly outperforms other tools, and that plugins are being shipped with a considerable number of vulnerabilities, which tends to increase over time.
2018 14th European Dependable Computing Conference (EDCC)
The use of Static Analysis Tools (SATs) is mandatory when developing secure software and searchin... more The use of Static Analysis Tools (SATs) is mandatory when developing secure software and searching for vulnerabilities in legacy software. However, the performance of the various SATs concerning the detection of vulnerabilities and false alarm rate is usually unknown and depends on many factors. The simultaneous use of several tools should increase the detection capabilities, but also the number of false alarms. In this paper, we study the problem of combining several SATs to best meet the developer needs. We present results of analyzing the performance of diverse static analysis tools, based on a previously published dataset that resulted from the use of five diverse SATs to find two types of vulnerabilities, namely SQL Injections (SQLi) and Cross-Site Scripting (XSS), in 132 plugins of the WordPress Content Management System (CMS). We present the results based on well-established measures for binary classifiers, namely sensitivity and specificity for all possible diverse combinations that can be constructed using these 5 SAT tools. We then provide empirically supported guidance on which combinations of SAT tools provide the most benefits for detecting vulnerabilities with low false positive rates.
2017 13th European Dependable Computing Conference (EDCC)
Developers frequently rely on free static analysis tools to automatically detect vulnerabilities ... more Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper, we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools.
IEEE Transactions on Reliability
Static analysis tools are recurrently used by developers to search for vulnerabilities in the sou... more Static analysis tools are recurrently used by developers to search for vulnerabilities in the source code of web applications. However, distinct tools provide different results depending on factors such as the complexity of the code under analysis and the application scenario; thus, missing some of the vulnerabilities while reporting false problems. Benchmarks can be used to assess and compare different systems or components, however, existing benchmarks have strong representativeness limitations, disregarding the specificities of the environment, where the tools under benchmarking will be used. In this paper, we propose a benchmark for assessing and comparing static analysis tools in terms of their capability to detect security vulnerabilities. The benchmark considers four real-world development scenarios, including workloads composed of real web applications with different goals and constraints, ranging from low budget to high-end applications. Our benchmark was implemented and assessed experimentally using a set of 134 Word-Press plugins, which served as the basis for the evaluation of five free PHP static analysis tools. Results clearly show that the best solution depends on the deployment scenario and class of vulnerability being detected; therefore, highlighting the importance of these aspects in the design of the benchmark and of future static analysis tools.
Innovative Technologies for Dependable OTS-Based Critical Systems, 2013
This chapter presents a methodology to evaluate and benchmark web application vulnerability scann... more This chapter presents a methodology to evaluate and benchmark web application vulnerability scanners using software fault injection techniques. The most common software faults are injected in the web application source code, which is then checked by the scanners. Using this procedure, we evaluated three leading commercial scanners, which are often regarded as an easy way to test the security of web applications, including critical vulnerabilities such as XSS and SQL Injection. Our idea consists of providing the scanners with the input they are supposed to handle, which is a web application with software faults and possible vulnerabilities originated by such faults. The results of the scanners are compared evaluating the efficiency in identifying the potential vulnerabilities created by the injected fault, their coverage of vulnerability detection and false positives. However, the results show that the coverage of these tools is low and the percentage of false positives is very high.
Lecture Notes in Computer Science, 2007
Database management systems (DBMS), which are the ultimate layer in preventing malicious data acc... more Database management systems (DBMS), which are the ultimate layer in preventing malicious data access or corruption, implement several security mechanisms to protect data. However these mechanisms cannot always stop malicious users from accessing the data by exploiting system vulnerabilities. In fact, when a malicious user accesses the database there is no effective way to detect and stop the attack in due time. This practical experience report presents a tool that implements concurrent intrusion detection in DBMS. This tool analyses the transactions the users execute and compares them with the profile of the authorized transactions that were previously learned in order to detect potential deviations. The tool was evaluated using the transactions from a standard database benchmark (TPC-W) and a real database application. Results show that the proposed intrusion detection tool can effectively detect SQL-based attacks with no false positives and no overhead to the server.
Concepts, Methodologies, Tools, and Applications, 2014
This chapter presents a survey on the most relevant software development practices that are used ... more This chapter presents a survey on the most relevant software development practices that are used nowadays to build software products for the web, with security built in. It starts by presenting three of the most relevant Secure Software Development Lifecycles, which are complete solutions that can be adopted by development companies: the CLASP, the Microsoft Secure Development Lifecycle and the Software Security Touchpoints. However it is not always feasible to change ongoing projects or replace the methodology in place. So, this chapter also discusses other relevant initiatives that can be integrated into existing development practices, which can be used to build and maintain safer software products: the OpenSAMM, the BSIMM, the SAFECode and the Securosis. The main features of these security development proposals are also compared according to their highlights and the goals of the target software product. Globe. This is what an integrated Secure Software Development Lifecycles (SSDL) does from the start to the end of the life of an application. In fact, using a SSDL is one of the recommendations of the Verizon's 2009 data breach report in order to prevent the application layer type of attacks, including SQL Injection and XSS (Baker et al., 2009). This chapter presents an overview of the most important SSDLs that are used nowadays to build software products that have to face the many threats that come from the web: the Open Web Application Security Project (OWASP) Comprehensive, Lightweight Application Security Process (CLASP), the Microsoft
Proceedings - 13th Pacific Rim International Symposium on Dependable Computing, PRDC 2007, 2007
Web applications are typically developed with hard time constraints and are often deployed with s... more Web applications are typically developed with hard time constraints and are often deployed with security vulnerabilities. Automatic web vulnerability scanners can help to locate these vulnerabilities and are popular tools among developers of web applications. Their purpose is to stress the application from the attacker's point of view by issuing a huge amount of interaction within it. Two of the most widely spread and dangerous vulnerabilities in web applications are SQL injection and Cross Site Scripting (XSS), because of the damage they may cause to the victim business. Trusting the results of web vulnerability scanning tools is of utmost importance. Without a clear idea on the coverage and false positive rate of these tools, it is difficult to judge the relevance of the results they provide. Furthermore, it is difficult, if not impossible, to compare key figures of merit of web vulnerability scanners. In this paper we propose a method to evaluate and benchmark automatic web vulnerability scanners using software fault injection techniques. The most common types of software faults are injected in the web application code which is then checked by the scanners. The results are compared by analyzing coverage of vulnerability detection and false positives. Three leading commercial scanning tools are evaluated and the results show that in general the coverage is low and the percentage of false positives is very high.
Nav 2012 17th International Conference on Ships and Shipping Research, Dec 9, 2012
After 9/11 terrorist attacks, critical assets protection has become a priority all over the world... more After 9/11 terrorist attacks, critical assets protection has become a priority all over the world. The focus moved from “safety”, so from the prevention and mitigation of casual and unexpected events, to “security”, so mitigation of deliberate acts. Regarding the protection of particular critical assets as vessels and ports or aircrafts and airports, respectively International Maritime Organisation (IMO) and International Civil Aviation Organization (ICAO) developed two different methodologies for security management, both taking into account that “total security” would be attainable only with an infinite cost. IMO, through the International Ship and Port Facility Security (ISPS) Code, has stated that countermeasures have to be identified and implemented in a scalable way, according to the “security level”. Nevertheless, “security level” is the result of intelligence information, whose trustworthiness is in inverse relation to malicious people’s capability to act by surprise, which undoubtedly increases the success of their actions. Therefore, security risk assessment and consequent countermeasures should set aside intelligence information and base their cost-effectiveness on other considerations. This paper aims at proposing an innovative methodology for security risk management that allows the identification of cost-effective countermeasures, based on the evaluation of the impact of each potential incident, independently from the “security level”. To meet this objective we will benefit of past experiences in airport security, where different strategies are suggested by ICAO.
Proceedings of the 2008 ACM symposium on Applied computing - SAC '08, 2008
This paper proposes a mechanism that allows concurrent detection of malicious data access through... more This paper proposes a mechanism that allows concurrent detection of malicious data access through the online analysis of the Database Management Systems (DBMS) audit trail. The proposed mechanism uses a directed graph representing the profile of valid transactions to detect illegal accesses to data, which are seen as unauthorized sequences of Structured Query Language (SQL) commands. The paper proposes a generic algorithm that learns the graph representing the profile of the transactions executed by the users. This mechanism can be used to protect traditional database applications from data attacks as well as web based applications from SQL injection types of attacks. The proposed mechanism is generic and can be used in most commercial DBMS, adding concurrent detection of malicious data access to classical database security mechanisms. The paper presents a practical example of the implementation of the proposed mechanism using Oracle 10g. The Transaction Processing Performance Council benchmark C (TPC-C) and a real database installation were used to assess the detection mechanism and learning algorithm.
2014 IEEE 33rd International Symposium on Reliable Distributed Systems, 2014
In an attempt to support customization, many web applications allow the integration of third-part... more In an attempt to support customization, many web applications allow the integration of third-party server-side plugins that offer diverse functionality, but also open an additional door for security vulnerabilities. In this paper we study the use of static code analysis tools to detect vulnerabilities in the plugins of the web application. The goal is twofold: 1) to study the effectiveness of static analysis on the detection of web application plugin vulnerabilities, and 2) to understand the potential impact of those plugins in the security of the core web application. We use two static code analyzers to evaluate a large number of plugins for a widely used Content Management System. Results show that many plugins that are currently deployed worldwide have dangerous Cross Site Scripting and SQL Injection vulnerabilities that can be easily exploited, and that even widely used static analysis tools may present disappointing vulnerability coverage and false positive rates.
Web applications are typically developed with hard time constraints and are often deployed with s... more Web applications are typically developed with hard time constraints and are often deployed with software bugs. One important type of bug is the one that creates security vulnerabilities. Knowing what kind of programming mistakes usually lead to security vulnerabilities can be an important tool to help in the detection and prevention of security flaws. In this paper we describe ongoing work on correlating software faults and security vulnerabilities like Cross Site Scripting (XSS) and SQL injection.
IEEE Transactions on Dependable and Secure Computing, 2014
Dr. William C. Carter was a key figure in the formation and development of the field of dependabl... more Dr. William C. Carter was a key figure in the formation and development of the field of dependable computing and fault tolerance. His career spanned over four decades, from programming , debugging, and recovery in ENlAC, through reliability, availability and serviceability during the evolution and definition of IBM mainframes. In particular, he took great interest in the future of the field and was instrumental in promoting the work of young contributors. It was characteristic of Bill to take the initiative in reaching out to students and younger colleagues. Despite the demands of his own career, he knew the value of taking the time to encourage, mentor, and inspire newcomers to the field. The William C. Carter Award has been presented annually since 1997, and was established by the IEEE Technical Committee on Fault-Tolerant Computing (TC-FTC) together with the IFIP Working Group on Dependable Computing and Fault Tolerance (WG lOA). The award is intended to honor and carry on Dr. Ca...
Lecture Notes in Computer Science, 2007
Web based applications often have vulnerabilities that can be exploited to launch SQL-based attac... more Web based applications often have vulnerabilities that can be exploited to launch SQL-based attacks. In fact, web application developers are normally concerned with the application functionalities and can easily neglect security aspects. The increasing number of web attacks reported every day corroborates that this attack-prone scenario represents a real danger and is not likely to change favorably in the future.
Proceedings of the International Conference on Dependable Systems and Networks, 2008
System administrators frequently rely on intrusion detection tools to protect their systems again... more System administrators frequently rely on intrusion detection tools to protect their systems against SQL Injection, one of the most dangerous security threats in database-centric web applications. However, the real effectiveness of those tools is usually unknown, which may lead administrators to put an unjustifiable level of trust in the tools they use. In this paper we present an experimental evaluation of the effectiveness of five SQL Injection detection tools that operate at different system levels: Application, Database and Network. To test the tools in a realistic scenario, Vulnerability and Attack Injection is applied in a setup based on three web applications of different sizes and complexities. Results show that the assessed tools have a very low effectiveness and only perform well under specific circumstances, which highlight the limitations of current intrusion detection tools in detecting SQL Injection attacks. Based on experimental observations we underline the strengths and weaknesses of the tools assessed.
2018 14th European Dependable Computing Conference (EDCC), Sep 1, 2018
The use of Static Analysis Tools (SATs) is mandatory when developing secure software and searchin... more The use of Static Analysis Tools (SATs) is mandatory when developing secure software and searching for vulnerabilities in legacy software. However, the performance of the various SATs concerning the detection of vulnerabilities and false alarm rate is usually unknown and depends on many factors. The simultaneous use of several tools should increase the detection capabilities, but also the number of false alarms. In this paper, we study the problem of combining several SATs to best meet the developer needs. We present results of analyzing the performance of diverse static analysis tools, based on a previously published dataset that resulted from the use of five diverse SATs to find two types of vulnerabilities, namely SQL Injections (SQLi) and Cross-Site Scripting (XSS), in 132 plugins of the WordPress Content Management System (CMS). We present the results based on well-established measures for binary classifiers, namely sensitivity and specificity for all possible diverse combinations that can be constructed using these 5 SAT tools. We then provide empirically supported guidance on which combinations of SAT tools provide the most benefits for detecting vulnerabilities with low false positive rates.
2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2015
There is nowadays an increasing pressure to develop complex Web applications at a fast pace. The ... more There is nowadays an increasing pressure to develop complex Web applications at a fast pace. The vast majority is built using frameworks based on third-party server-side plugins that allow developers to easily add new features. However, as many plugin developers have limited programming skills, there is a spread of security vulnerabilities related to their use. Best practices advise the use of systematic code review for assure security, but free tools do not support OOP, which is how most Web applications are currently developed. To address this problem we propose phpSAFE, a static code analyzer that identifies vulnerabilities in PHP plugins developed using OOP. We evaluate phpSAFE against two well-known tools using 35 plugins for a widely used CMS. Results show that phpSAFE clearly outperforms other tools, and that plugins are being shipped with a considerable number of vulnerabilities, which tends to increase over time.
2018 14th European Dependable Computing Conference (EDCC)
The use of Static Analysis Tools (SATs) is mandatory when developing secure software and searchin... more The use of Static Analysis Tools (SATs) is mandatory when developing secure software and searching for vulnerabilities in legacy software. However, the performance of the various SATs concerning the detection of vulnerabilities and false alarm rate is usually unknown and depends on many factors. The simultaneous use of several tools should increase the detection capabilities, but also the number of false alarms. In this paper, we study the problem of combining several SATs to best meet the developer needs. We present results of analyzing the performance of diverse static analysis tools, based on a previously published dataset that resulted from the use of five diverse SATs to find two types of vulnerabilities, namely SQL Injections (SQLi) and Cross-Site Scripting (XSS), in 132 plugins of the WordPress Content Management System (CMS). We present the results based on well-established measures for binary classifiers, namely sensitivity and specificity for all possible diverse combinations that can be constructed using these 5 SAT tools. We then provide empirically supported guidance on which combinations of SAT tools provide the most benefits for detecting vulnerabilities with low false positive rates.
2017 13th European Dependable Computing Conference (EDCC)
Developers frequently rely on free static analysis tools to automatically detect vulnerabilities ... more Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper, we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools.
IEEE Transactions on Reliability
Static analysis tools are recurrently used by developers to search for vulnerabilities in the sou... more Static analysis tools are recurrently used by developers to search for vulnerabilities in the source code of web applications. However, distinct tools provide different results depending on factors such as the complexity of the code under analysis and the application scenario; thus, missing some of the vulnerabilities while reporting false problems. Benchmarks can be used to assess and compare different systems or components, however, existing benchmarks have strong representativeness limitations, disregarding the specificities of the environment, where the tools under benchmarking will be used. In this paper, we propose a benchmark for assessing and comparing static analysis tools in terms of their capability to detect security vulnerabilities. The benchmark considers four real-world development scenarios, including workloads composed of real web applications with different goals and constraints, ranging from low budget to high-end applications. Our benchmark was implemented and assessed experimentally using a set of 134 Word-Press plugins, which served as the basis for the evaluation of five free PHP static analysis tools. Results clearly show that the best solution depends on the deployment scenario and class of vulnerability being detected; therefore, highlighting the importance of these aspects in the design of the benchmark and of future static analysis tools.
Innovative Technologies for Dependable OTS-Based Critical Systems, 2013
This chapter presents a methodology to evaluate and benchmark web application vulnerability scann... more This chapter presents a methodology to evaluate and benchmark web application vulnerability scanners using software fault injection techniques. The most common software faults are injected in the web application source code, which is then checked by the scanners. Using this procedure, we evaluated three leading commercial scanners, which are often regarded as an easy way to test the security of web applications, including critical vulnerabilities such as XSS and SQL Injection. Our idea consists of providing the scanners with the input they are supposed to handle, which is a web application with software faults and possible vulnerabilities originated by such faults. The results of the scanners are compared evaluating the efficiency in identifying the potential vulnerabilities created by the injected fault, their coverage of vulnerability detection and false positives. However, the results show that the coverage of these tools is low and the percentage of false positives is very high.
Lecture Notes in Computer Science, 2007
Database management systems (DBMS), which are the ultimate layer in preventing malicious data acc... more Database management systems (DBMS), which are the ultimate layer in preventing malicious data access or corruption, implement several security mechanisms to protect data. However these mechanisms cannot always stop malicious users from accessing the data by exploiting system vulnerabilities. In fact, when a malicious user accesses the database there is no effective way to detect and stop the attack in due time. This practical experience report presents a tool that implements concurrent intrusion detection in DBMS. This tool analyses the transactions the users execute and compares them with the profile of the authorized transactions that were previously learned in order to detect potential deviations. The tool was evaluated using the transactions from a standard database benchmark (TPC-W) and a real database application. Results show that the proposed intrusion detection tool can effectively detect SQL-based attacks with no false positives and no overhead to the server.
Concepts, Methodologies, Tools, and Applications, 2014
This chapter presents a survey on the most relevant software development practices that are used ... more This chapter presents a survey on the most relevant software development practices that are used nowadays to build software products for the web, with security built in. It starts by presenting three of the most relevant Secure Software Development Lifecycles, which are complete solutions that can be adopted by development companies: the CLASP, the Microsoft Secure Development Lifecycle and the Software Security Touchpoints. However it is not always feasible to change ongoing projects or replace the methodology in place. So, this chapter also discusses other relevant initiatives that can be integrated into existing development practices, which can be used to build and maintain safer software products: the OpenSAMM, the BSIMM, the SAFECode and the Securosis. The main features of these security development proposals are also compared according to their highlights and the goals of the target software product. Globe. This is what an integrated Secure Software Development Lifecycles (SSDL) does from the start to the end of the life of an application. In fact, using a SSDL is one of the recommendations of the Verizon's 2009 data breach report in order to prevent the application layer type of attacks, including SQL Injection and XSS (Baker et al., 2009). This chapter presents an overview of the most important SSDLs that are used nowadays to build software products that have to face the many threats that come from the web: the Open Web Application Security Project (OWASP) Comprehensive, Lightweight Application Security Process (CLASP), the Microsoft