Abstract

Context:Securing code is crucial for all software stakeholders. Nevertheless, state-of-the-art tools are imperfect and tend to miss critical errors, resulting in zero-day vulnerabilities. Thus, there is a need for alternatives to mitigate such issues. Objective:We aim to facilitate an effective identification mechanism of security flaws in the early stages of development. Method:Following our analysis of the root causes of vulnerabilities and examining existing code analyzers, we devise a new Rule-Based Security Flaws Prevention (RbSFP) tool. The tool is based on a set of allow-list rules and consists of the following stages: (1) AST creation based on the source code and marking critical code areas; (2) Context-based code analysis that further validates the code; (3) Results’ normalization to suggest alerts and warnings. To evaluate the RbSFP tool, we utilized two complementary evaluations. The first refers to the tool’s ability to detect security flaws compared to competing tools by executing them on open-source projects. The second refers to evaluating the tool’s usability and efficiency via a controlled experiment. Results:We found that the outcomes were of better quality when using the RbSFP tool, and the differences were statistically significant. Thus, utilizing the new approach and tool has a significant impact as it can eliminate root causes for security flaws at the early stages of development. Conclusion:Using an allow-list-based approach can reduce security flaws in the code. However, further analysis and evaluation are needed to provide a more comprehensive solution.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.