Evaluating the effectiveness of a security flaws prevention tool

Itzhak Gershfeld, Arnon Sturm

Research output: Contribution to journalArticlepeer-review

Abstract

Context: Securing code is crucial for all software stakeholders. Nevertheless, state-of-the-art tools are imperfect and tend to miss critical errors, resulting in zero-day vulnerabilities. Thus, there is a need for alternatives to mitigate such issues. Objective: We aim to facilitate an effective identification mechanism of security flaws in the early stages of development. Method: Following our analysis of the root causes of vulnerabilities and examining existing code analyzers, we devise a new Rule-Based Security Flaws Prevention (RbSFP) tool. The tool is based on a set of allow-list rules and consists of the following stages: (1) AST creation based on the source code and marking critical code areas; (2) Context-based code analysis that further validates the code; (3) Results’ normalization to suggest alerts and warnings. To evaluate the RbSFP tool, we utilized two complementary evaluations. The first refers to the tool's ability to detect security flaws compared to competing tools by executing them on open-source projects. The second refers to evaluating the tool's usability and efficiency via a controlled experiment. Results: We found that the outcomes were of better quality when using the RbSFP tool, and the differences were statistically significant. Thus, utilizing the new approach and tool has a significant impact as it can eliminate root causes for security flaws at the early stages of development. Conclusion: Using an allow-list-based approach can reduce security flaws in the code. However, further analysis and evaluation are needed to provide a more comprehensive solution.

Original languageEnglish
Article number107427
JournalInformation and Software Technology
Volume170
DOIs
StatePublished - 1 Jun 2024

Keywords

  • Controlled experiment
  • CVE
  • Secure software development
  • Security flaws detection
  • Software bugs
  • Static code analysis

ASJC Scopus subject areas

  • Software
  • Information Systems
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'Evaluating the effectiveness of a security flaws prevention tool'. Together they form a unique fingerprint.

Cite this