Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.5.973

A Study on Software Security Vulnerability Detection Using Coding Standard Searching Technique  

Jang, Young-Su (Korea Polytechnic)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.5, 2019 , pp. 973-983 More about this Journal
Abstract
The importance of information security has been increasingly emphasized at the national, organizational, and individual levels due to the widespread adoption of software applications. High-safety software, which includes embedded software, should run without errors, similar to software used in the airline and nuclear energy sectors. Software development techniques in the above sectors are now being used to improve software security in other fields. Secure coding, in particular, is a concept encompassing defensive programming and is capable of improving software security. In this paper, we propose a software security vulnerability detection method using an improved coding standard searching technique. Public static analysis tools were used to assess software security and to classify the commands that induce vulnerability. Software security can be enhanced by detecting Application Programming Interfaces (APIs) and patterns that can induce vulnerability.
Keywords
Information Security; Secure Coding; Defensive Programming; Public Static Analysis tools;
Citations & Related Records
연도 인용수 순위
  • Reference
1 "APCERT Annual Report 2017", Carnegie Mellon University software engineering institute, 2018.
2 J. Stark, "Product lifecycle management," In Product Lifecycle Management, Springer, pp. 1-29, Dec. 2015.
3 P. Nunes, I. Medeiros, J. Fonseca, N. Neves, and M. Correia, "An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios," Computing, vol. 101, no. 2, pp. 161-185, Sep. 2019.   DOI
4 F. Zampetti, S. Scalabrino, R. Oliveto, G. Canfora, and M. Penta, "How open source projects use static code analysis tools in continuous integration pipelines," In IEEE/ACM 14th International Conference on MSR, pp. 334-344, May. 2017.
5 G. Nagy and A. Cleve, "A static code smell detector for SQL queries embedded in Java code," IEEE, pp. 147-152, Apr. 2017.
6 W. Webber, "Evaluating the Effectiveness of Keyword Search," IEEE Data Eng. Bull, vol. 33, no. 1, pp. 54-59, Dec. 2010.
7 Y.S. Jang and J.Y Choi, "Automatic prevention of buffer overflow vulnerability using candidate code generation," IEICE TRANSACTIONS on Information and Systems, pp. 3005-3018, Dec. 2018.   DOI
8 T. Gagie, G. Manzini, and D. Valenzuela, "Compressed spaced suffix arrays," Mathematics in Computer Science, pp. 151-157, May. 2017.
9 N. Zhong, Y. Li, and S.T. Wu, ""Effective pattern discovery for text mining," IEEE transactions on knowledge and data engineering, vol. 24, no. 1, pp. 30-44, Apr. 2010.   DOI
10 S.S. Kia, B.V Scoy, B.J. Cortes, R.A. Freeman, K.M. Lynch, and S. Martinez, "Tutorial on dynamic average consensus: the problem, its applications, and the algorithms," IEEE Control Systems Magazine, vol. 39, no. 3, pp. 40-72, Apr. 2019.   DOI
11 J. Bleier, E. Poll, H. Xu, and J. Visser, "Improving the usefulness of alerts generated by automated static analysis tools," Oct. 2017.
12 NIST, "Juliet test suite" https://samate.nist.gov/SARD/testsuite.php, Jun. 2019.
13 G. Balan and A.S. Popescu, "Detecting Java Compiled Malware using Machine Learning Techniques," IEEE, pp. 435-439, May. 2018.