IMPROVING SOFTWARE SECURITY USING STATIC AND RUNTIME ANALYSIS

ABSTRACT

Static analysis can detect a variety of defects and weaknesses in system source codes even before the code is ready to run. Runtime analysis on the other hand, looks at running software to detect problems as these occur, usually through sophisticated instrumentation. Static analysis prevents problems from entering the main code stream and ensures that any new code is up to standard. Static analysis tools can uncover security vulnerabilities, logic errors, implementation defects, and other problems, both at developer’s desktop and at system build time.  Runtime  analysis  can  be  performed  during  module  development  and system  integration  to  catch  any  problem  missed  by  static  analysis.  In  this research work, Vulnerability analysis was performed on some developed source codes with some security vulnerabilities. The analysis report supports the fact that one can expect certain number of false alarm in all vulnerability analysis tools. This research work therefore focuses on finding out a mathematical model on how to determine the probability of detection and the probability of   false alarm for a given analysis tool. This information will guide the users of the tool to determine the authenticity of the detected bug. It will also help the developers to access and improve the performance of the analysis tool.

1.1     Introduction

CHAPTER ONE

1.0  INTRODUCTION

Software  engineering  has  evolved  to  a  stage  where  security  attributes  of software are playing increasingly important role. Introduction of e-commerce, m-commerce, online banking and other web based applications have resulted to a whole new set of requirements for information systems. In addition to reliability, performance and other quality attributes, the level of system security is playing a major role when customers are making buying decisions. For this reason; there is an obvious need for a special consideration of system security when designing software products especially for higher security applications.

The current state of application security leaves much to be desired. The 2002 computer crime and security survey [1] conducted by the Computer Security Institute and the United State’s FBI revealed that, on yearly bases, that over half of all data bases experience at least one security breach and an average episode result in close to $4 million in losses. The survey also noted that web crime has become common place. Web crime ranges from cyber-vandalism (e.g., website defacement) at the low end, to theft of sensitive information and financial fraud at the high end.

A penetration testing  study  performed  by the  Imperva  Application Defense Center [2] included more than 250 web application from e-commerce, online banking and enterprises collaboration sites. This vulnerability assessment concluded that at least 92% of web applications are vulnerable to some form of hacker attacks. Security compliance of application vendors is especially important in light of recent U.S. industry regulations such as the Sarbanes- Oxley act pertaining the information

security [3, 4]. According to the 2005 e-crime watch conducted in cooperation with the United State secret service, 43% of respondents reported an increase in e-crimes and intrusion over the previous year [5]. Over 70% of respondent reported  that  at least one e-crime  or intrusion  was committed  against  their organization. During the first six months of 2005; malicious codes that exposed confidential information represented 74% of the 50 malicious code samples, according to  Symantec’s internet  security  threat  report volume  III [6].  The report also documents 1,872 vulnerabilities in the first half of 2005, the most ever recorded since the inception of the report. Despite this sampling of data pointing to the increasing threat of directed attacks, the threat is likely still understated. Many directed attacks go unreported for the following reasons:

      Many organizations try to suppress the fact that they were attacked in the hope of avoiding negative publicity and damage to their reputation.

      Many organizations that have been attacked simply do not know that they    have been the victim of a targeted attack.

While a great deal of attention over the decades have been given to network- level  attacks  such  as  port  scanning,  about  75%  of  all  attacks  against  web servers, target web based applications, according to a resent survey [7]. It is easy to underestimate the potential level of risk associated with sensitive information within the data bases accessed through web applications until a severe security breach actually occurs.

Analyzing reports of security attacks quickly reveals that most attacks do not result from clever attackers discovering new kinds of flaws, but rather stem from repeated exploits of well-known problems.

In Mitre’s Common Vulnerabilities and Exposures list of 190 entries from 1st January 2001 through 18th September 2001, thirty-seven of these entries are standard buffer overflow vulnerabilities (including three related memory-access vulnerabilities), and 11 involve format bugs [8]. Most of the rest also reveal common flaws which include resource leaks, file name problems, and symbolic

links. Analyses of other vulnerability and incident reports reveal similar repetition. So why do developers keep making the same mistakes? Some errors are caused  by legacy code, others by programmers’ carelessness or lack of awareness about security concerns. However, the root problem is that while security vulnerabilities such as buffer overflows are well understood, the techniques for avoiding them totally are not well codified into the development process. Even conscientious programmers can overlook security issues, especially those that rely on undocumented assumptions about procedures and data types. Instead of relying on programmers’ memories, the security industry has produced tools that codify what is known about common security vulnerabilities that can be integrated directly into the development process to detect software vulnerabilities. This paper proposes how the efficiency of the tools can be maximized.

₦5,000.00 – DOWNLOAD FULL PROJECT DOWNLOAD FULL PROJECT Added to cart

---

---

---

---

---

Related Project Topics :