On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study

Authors

Abstract

Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvi-ous direction to take to improve coverage, as different tools usual-ly report distinct vulnerabilities, but this may come with an in-crease in the number of false alarms. In this paper, we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools.

Keywords

Internet;program diagnostics;security of data;Web vulnerabilities;Web security;software development scenario;free static analysis tools;diverse static analysis tools;Tools;Software;Security;Measurement;Diversity reception;Complexity theory;static analysis;vulnerability detection;XSS;SQLi

Conference

2017 13th European Dependable Computing Conference (EDCC), August 2017

DOI