Assessing software vulnerabilities using Naturally Occurring Defects

Bibliographic Details
Main Author: Sofia Oliveira Reis
Publication Date: 2017
Format: Master thesis
Language: eng
Source: Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
Download full: https://hdl.handle.net/10216/106509
Summary: Currently, to satisfy the high number of system requirements, complex software is created which turns its development cost-intensive and more susceptible to security vulnerabilities. In software security testing, empirical studies typically use artificial faulty programs because of the challenges involved in the extraction or reproduction of real security vulnerabilities. Thus, researchers tend to use hand-seeded faults or mutations to overcome these issues which might not be suitable for software testing techniques since the two approaches can create samples that inadvertently differ from the real vulnerabilities. Secbench is a database of security vulnerabilities mined from Github which hosts millions of open-source projects carrying a considerable number of security vulnerabilities. The majority of software development costs is on identifying and correcting defects. In order to minimize such costs, software engineers answered creating static analysis tools that allow the detection of defects in the source code before being sent to production or even executed. Despite the promising future of these tools on reducing costs during the software development phase, there are studies that show that the tools' vulnerabilities detection capability is comparable or even worse than random guessing, i.e., these tools are still far from their higher level of maturity, since the percentage of undetected security vulnerabilities is high and the number of correctly detected defects is lower than the false ones. This study evaluates the performance and coverage of some static analysis tools when scanning for real security vulnerabilities mined from Github. Each vulnerability represents a test case containing the vulnerable code (Vvul) which can or can not be exposed; and, the non-vulnerable code (Vfix) - fix or patch - which is not exposed. These test cases were executed by the static analysis tools and yielded a better analysis in terms of performance and security vulnerabilities coverage. This methodology allowed the identification of improvements in the static analysis tools that were studied. Besides contributing to the improvement of these tools, it also contributes to a more confident tools choice by security consultants, programmers and companies.
id RCAP_bd6033ebc4af0bfb55702db2cc0b3fe5
oai_identifier_str oai:repositorio-aberto.up.pt:10216/106509
network_acronym_str RCAP
network_name_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository_id_str https://opendoar.ac.uk/repository/7160
spelling Assessing software vulnerabilities using Naturally Occurring DefectsEngenharia electrotécnica, electrónica e informáticaElectrical engineering, Electronic engineering, Information engineeringCurrently, to satisfy the high number of system requirements, complex software is created which turns its development cost-intensive and more susceptible to security vulnerabilities. In software security testing, empirical studies typically use artificial faulty programs because of the challenges involved in the extraction or reproduction of real security vulnerabilities. Thus, researchers tend to use hand-seeded faults or mutations to overcome these issues which might not be suitable for software testing techniques since the two approaches can create samples that inadvertently differ from the real vulnerabilities. Secbench is a database of security vulnerabilities mined from Github which hosts millions of open-source projects carrying a considerable number of security vulnerabilities. The majority of software development costs is on identifying and correcting defects. In order to minimize such costs, software engineers answered creating static analysis tools that allow the detection of defects in the source code before being sent to production or even executed. Despite the promising future of these tools on reducing costs during the software development phase, there are studies that show that the tools' vulnerabilities detection capability is comparable or even worse than random guessing, i.e., these tools are still far from their higher level of maturity, since the percentage of undetected security vulnerabilities is high and the number of correctly detected defects is lower than the false ones. This study evaluates the performance and coverage of some static analysis tools when scanning for real security vulnerabilities mined from Github. Each vulnerability represents a test case containing the vulnerable code (Vvul) which can or can not be exposed; and, the non-vulnerable code (Vfix) - fix or patch - which is not exposed. These test cases were executed by the static analysis tools and yielded a better analysis in terms of performance and security vulnerabilities coverage. This methodology allowed the identification of improvements in the static analysis tools that were studied. Besides contributing to the improvement of these tools, it also contributes to a more confident tools choice by security consultants, programmers and companies.2017-07-132017-07-13T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttps://hdl.handle.net/10216/106509TID:201803402engSofia Oliveira Reisinfo:eu-repo/semantics/openAccessreponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiainstacron:RCAAP2025-02-27T20:22:41Zoai:repositorio-aberto.up.pt:10216/106509Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireinfo@rcaap.ptopendoar:https://opendoar.ac.uk/repository/71602025-05-29T00:04:30.771920Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiafalse
dc.title.none.fl_str_mv Assessing software vulnerabilities using Naturally Occurring Defects
title Assessing software vulnerabilities using Naturally Occurring Defects
spellingShingle Assessing software vulnerabilities using Naturally Occurring Defects
Sofia Oliveira Reis
Engenharia electrotécnica, electrónica e informática
Electrical engineering, Electronic engineering, Information engineering
title_short Assessing software vulnerabilities using Naturally Occurring Defects
title_full Assessing software vulnerabilities using Naturally Occurring Defects
title_fullStr Assessing software vulnerabilities using Naturally Occurring Defects
title_full_unstemmed Assessing software vulnerabilities using Naturally Occurring Defects
title_sort Assessing software vulnerabilities using Naturally Occurring Defects
author Sofia Oliveira Reis
author_facet Sofia Oliveira Reis
author_role author
dc.contributor.author.fl_str_mv Sofia Oliveira Reis
dc.subject.por.fl_str_mv Engenharia electrotécnica, electrónica e informática
Electrical engineering, Electronic engineering, Information engineering
topic Engenharia electrotécnica, electrónica e informática
Electrical engineering, Electronic engineering, Information engineering
description Currently, to satisfy the high number of system requirements, complex software is created which turns its development cost-intensive and more susceptible to security vulnerabilities. In software security testing, empirical studies typically use artificial faulty programs because of the challenges involved in the extraction or reproduction of real security vulnerabilities. Thus, researchers tend to use hand-seeded faults or mutations to overcome these issues which might not be suitable for software testing techniques since the two approaches can create samples that inadvertently differ from the real vulnerabilities. Secbench is a database of security vulnerabilities mined from Github which hosts millions of open-source projects carrying a considerable number of security vulnerabilities. The majority of software development costs is on identifying and correcting defects. In order to minimize such costs, software engineers answered creating static analysis tools that allow the detection of defects in the source code before being sent to production or even executed. Despite the promising future of these tools on reducing costs during the software development phase, there are studies that show that the tools' vulnerabilities detection capability is comparable or even worse than random guessing, i.e., these tools are still far from their higher level of maturity, since the percentage of undetected security vulnerabilities is high and the number of correctly detected defects is lower than the false ones. This study evaluates the performance and coverage of some static analysis tools when scanning for real security vulnerabilities mined from Github. Each vulnerability represents a test case containing the vulnerable code (Vvul) which can or can not be exposed; and, the non-vulnerable code (Vfix) - fix or patch - which is not exposed. These test cases were executed by the static analysis tools and yielded a better analysis in terms of performance and security vulnerabilities coverage. This methodology allowed the identification of improvements in the static analysis tools that were studied. Besides contributing to the improvement of these tools, it also contributes to a more confident tools choice by security consultants, programmers and companies.
publishDate 2017
dc.date.none.fl_str_mv 2017-07-13
2017-07-13T00:00:00Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv https://hdl.handle.net/10216/106509
TID:201803402
url https://hdl.handle.net/10216/106509
identifier_str_mv TID:201803402
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron:RCAAP
instname_str FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron_str RCAAP
institution RCAAP
reponame_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
collection Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository.name.fl_str_mv Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
repository.mail.fl_str_mv info@rcaap.pt
_version_ 1833600388537778176

Similar Items