AppSecUSA 2012 has ended
Back To Schedule
Friday, October 26 • 3:00pm - 3:45pm
Using Interactive Static Analysis for Early Detection of Software Vulnerabilities

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles:
• Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming;
• Secure programming support should be provided while the code is being developed, integrated into the development tools;
• Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and
• Developers should be able to provide feedback about the application context that can drive customized security analysis.

We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code.

avatar for Bill Chu

Bill Chu

Professor, University of North Carolina at Charlotte
I received my Ph.D. in Computer Science from University of Maryland at College Park. My current research is focused on building interactive tools to support developers writing more secure code. Part of this effort is the OWASP ASIDE project(https://www.owasp.org/index.php/OWASP_ASIDE_Project... Read More →

Friday October 26, 2012 3:00pm - 3:45pm CDT
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

Attendees (0)