Framework Design for Integrating Source Code Analysis in Web Application Security Audits

A. KARTIK KUMAR

Authors

A. KARTIK KUMAR INDIA Author

Keywords:

Dynamic Analysis, Software Development Lifecycle, Security Framework

Abstract

In the era of digital transformation, securing web applications is paramount due to the increasing number of cyber threats. This paper presents a comprehensive framework for integrating source code analysis into web application security audits. The proposed framework leverages both static and dynamic analysis techniques to identify vulnerabilities at different stages of the software development lifecycle. By automating the analysis process, the framework aims to enhance the efficiency and accuracy of security audits, reducing the risk of human error and ensuring thorough coverage of potential security flaws. Case studies and experimental results demonstrate the framework's effectiveness in identifying critical vulnerabilities and providing actionable insights for remediation. This approach not only improves the security posture of web applications but also facilitates compliance with industry standards and regulations.

References

Chess, B., & McGraw, G. (2004). Static analysis for security. IEEE Security & Privacy, 2(6), 76-79.

Livshits, V. B., & Lam, M. S. (2005). Finding security vulnerabilities in Java applications with static analysis. In USENIX Security Symposium (pp. 271-286).

Jovanovic, N., Kruegel, C., & Kirda, E. (2006). Pixy: A static analysis tool for detecting web application vulnerabilities (SQL injection). In IEEE Symposium on Security and Privacy (S&P'06) (pp. 258-263).

Xie, Y., & Aiken, A. (2006). Static detection of security vulnerabilities in scripting languages. In USENIX Security Symposium (Vol. 15, pp. 179-192).

Fortify Software. (2007). Fortify SCA (Source Code Analyzer). Retrieved from https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer

Arkin, B., Stender, S., & McGraw, G. (2005). Software penetration testing. IEEE Security & Privacy, 3(1), 84-87.

Halfond, W. G., Viegas, J., & Orso, A. (2006). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (pp. 13-15).

Gallikonda, S. (2016). Advanced Immutability Analysis Techniques for Java Bytecode. Journal of Recent Trends in Computer Science and Engineering (JRTCSE), 4(2), 10-21.

Williams, J., & Wichers, D. (2010). OWASP top ten. OWASP Foundation.

Huang, Y. W., Yu, F., Hang, C., Tsai, C. H., Lee, D. T., & Kuo, S. Y. (2004). Securing web application code by static analysis and runtime protection. In Proceedings of the 13th International World Wide Web Conference (pp. 40-52).

Zeller, A. (2009). Why programs fail: A guide to systematic debugging. Elsevier.

Lippmann, R., Webster, S., & Stetson, D. (2002). The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Recent Advances in Intrusion Detection (pp. 307-326). Springer, Berlin, Heidelberg.

Shankar, U., Talwar, K., & Saroiu, S. (2006). On the implications of using a web application for personal health records. In Proceedings of the 6th ACM Workshop on Privacy in the Electronic Society (pp. 35-42).

Viega, J., Bloch, J. T., Kohno, T., & McGraw, G. (2000). ITS4: A static vulnerability scanner for C and C++ code. In Proceedings of the 16th Annual Computer Security Applications Conference (pp. 257-267).

Schwarz, B., Chen, S., & Wagner, D. (2005). Model checking an entire Linux distribution for security violations. In Annual Network and Distributed System Security Symposium.

O'Reilly, D. (2017). Secure software development: A review of the current state of practice. Journal of Information Security and Applications, 35, 31-40.

McGraw, G. (2006). Software security: Building security in. Addison-Wesley Professional.

Fenton, N., & Pfleeger, S. L. (1998). Software metrics: A rigorous and practical approach. PWS Publishing Co.

Lipner, S., & Howard, M. (2005). The Trustworthy Computing Security Development Lifecycle. In 20th Annual Computer Security Applications Conference (pp. 2-13).