E-resources
Peer reviewed
-
Gershfeld, Itzhak; Sturm, Arnon
Information and software technology, June 2024, 2024-06-00, Volume: 170Journal Article
Securing code is crucial for all software stakeholders. Nevertheless, state-of-the-art tools are imperfect and tend to miss critical errors, resulting in zero-day vulnerabilities. Thus, there is a need for alternatives to mitigate such issues. We aim to facilitate an effective identification mechanism of security flaws in the early stages of development. Following our analysis of the root causes of vulnerabilities and examining existing code analyzers, we devise a new Rule-Based Security Flaws Prevention (RbSFP) tool. The tool is based on a set of allow-list rules and consists of the following stages: (1) AST creation based on the source code and marking critical code areas; (2) Context-based code analysis that further validates the code; (3) Results’ normalization to suggest alerts and warnings. To evaluate the RbSFP tool, we utilized two complementary evaluations. The first refers to the tool’s ability to detect security flaws compared to competing tools by executing them on open-source projects. The second refers to evaluating the tool’s usability and efficiency via a controlled experiment. We found that the outcomes were of better quality when using the RbSFP tool, and the differences were statistically significant. Thus, utilizing the new approach and tool has a significant impact as it can eliminate root causes for security flaws at the early stages of development. Using an allow-list-based approach can reduce security flaws in the code. However, further analysis and evaluation are needed to provide a more comprehensive solution.
![loading ... loading ...](themes/default/img/ajax-loading.gif)
Shelf entry
Permalink
- URL:
Impact factor
Access to the JCR database is permitted only to users from Slovenia. Your current IP address is not on the list of IP addresses with access permission, and authentication with the relevant AAI accout is required.
Year | Impact factor | Edition | Category | Classification | ||||
---|---|---|---|---|---|---|---|---|
JCR | SNIP | JCR | SNIP | JCR | SNIP | JCR | SNIP |
Select the library membership card:
If the library membership card is not in the list,
add a new one.
DRS, in which the journal is indexed
Database name | Field | Year |
---|
Links to authors' personal bibliographies | Links to information on researchers in the SICRIS system |
---|
Source: Personal bibliographies
and: SICRIS
The material is available in full text. If you wish to order the material anyway, click the Continue button.