Research On The Improvement Of Software Vulnerability Detection And Evaluation Based On Static Analysis And Empirical Study

Bugs in software constitute a major threat to our healthcare,security,financial,and other vital infrastructure systems at risk.These bugs in software stem from several reasons ranging from human error in code,implementation to design errors from frameworks and operating systems.Also,software complexity,changing requirements,miscommunication or no communication,and time pressure have been attributed to be some of the reason for software bugs.Software project scheduling,for example,is daunting at best,involving a lot of guesswork.Thus,when deadlines loom and pressure mounts,errors are bound to occur.To address these issues,bug detection has become a fundamental activity to software quality maintenance and has been shown to improve software reliability by finding previously unknown bugs in software systems.Previous studies have proposed varied methods,techniques to improve bug detection.One of the most widely and effective ways of detecting bugs methods is the use of automated static analysis techniques(ASATs).ASATs help to improve the security of software by detecting potential violations without executing the application.Again,several empirical studies have demonstrated the usefulness of employing automated static analysis tools(ASAT)and techniques to detect security bugs in software systems.These studies usually involve the analysis of Java source code files to detect and resolve.In an attempt to also improve vulnerability detection and the general quality of web applications,several web vulnerability scanners(WVSs)have been developed and studied,including the web application attack and audit framework,OWASP zed attack proxy,Skipfish,Arachni,Vega,Stalker,and IronWASP.A WVS performs penetration testing by going through its web pages without executing the program.Although these studies have significantly improved bug detection,the choice for making an appropriate decision on the most suitable tool for bug detection in Java code software remains a relatively unexplored domain.Also,these studies are usually focused on analyzing the effectiveness of the tools using open-source tools based on the C/C++source code.Additionally,the researchers noticed a research gap regarding web vulnerability scanners.That is few studies are examining the effectiveness of the commercial and open-source scanners.To address the aforementioned issues,this dissertation seeks to empirically investigate the effectiveness of the commercial and open-source web vulnerability scanners.In this approach,the researchers first identify the most widely-used and applied open-source and commercial web vulnerability scanners using the Web Application Security Consortium,and then scanned the two benchmark web applications,namely WebGoat and DVWA for vulnerabilities by configuring the browser and the selected vulnerability scanners for the vulnerability detection.More importantly,this dissertation proposes an automated framework for evaluating open-source Web scanner vulnerability severity using a Web vulnerability detection scanner called Zed Attach Proxy to detect vulnerabilities in a damn vulnerable Web application.The OWASP 2017 top ten selection and prioritization scheme is applied as the benchmark technique for the severity measure and ranking.Regarding the automated static analysis tools,we noticed that the choice for making an appropriate decision on the most suitable tool for bug detection in Java code software remains a relatively unexplored domain.Thus,this dissertation seeks to empirically evaluate the most widely used AS AT,namely Findbug,PMD,YASCA,LAPSE+,JLint,B andera,ESC/Java,and Java Pathfinder using Juliet test suite(Test Suite v1.2).Additionally,the study assessed the performance of detection capabilities for the eight tools with robust performance measures such as precision,recall,Youden index,and the OWASP Web Benchmark Evaluation.The following are the main contributions of this dissertation:(1)This dissertation presents an effective strategy for evaluating and comparing web vulnerability scanners for detecting security vulnerability in web applications.In this approach,we develop a novel approach for accessing the efficiency of eight web vulnerability scanners namely,Acunetix;HP WebInspect;IBM AppScan;OWASP ZAP;Skipfish;Arachni;Vega;and Iron WASP.The performance of the tools was accessed using multiple evaluation metrics such as precision;recall;Youden index;OWASP web benchmark evaluation(WBE);and the web application security scanner evaluation criteria(WASSEC).The experimental results show that,while the commercial scanners are effective in detecting security vulnerabilities,some open-source scanners(such as ZAP and Skipfish)can also be effective.(2)This study proposes a scheme to help security experts to determine the most suitable tool for bug detection in Java code files and also to examine the effectiveness of the proposed framework using open-source tools based on C/C++source code.Thus,we empirically evaluate eight widely used ASAT,namely Findbug,PMD,YASCA,LAPSE+,JLint,Bandera,ESC/Java,and Java Pathfinder using the Juliet test suite(Test Suite v1.2).Additionally,we assessed the performance of detection capabilities for the eight tools by applying robust performance measures such as precision,recall,Youden index,and the OWASP Web Benchmark Evaluation(WBE).The experimental results show that the tools obtained precision values ranging from 83%to 90.7%based on the studied datasets.Specifically,the Java Pathfinder achieved the best precision score of 90.7%,followed by YASCA and Bandera with a precision score of 88.7%and 83%respectively.Similarly,Bandera,ESC/Java,and Java Pathfinder obtain a Youden index of 0.8,which indicates the effectiveness of the tools in detecting security bug in Java source code.(3)In addition,this study proposed a Fast Bug Detection Algorithm(FBDA)to improve vulnerability detection.The focus of this study is to reduce the size of the code area to be investigated without compromising on quality and improve the processing time.Thus,we tested the effectiveness of our framework using a designated subset of the Juliet Test Suite,where the results showed that our approach achieved a performance gain of 66%and can successfully detect bug patterns than existing static analysis tools.Additionally,the experimental analysis further shows that,the percentage of false positive obtained by our framework is 18.5%,which is much less than the percentage of false positive reported by ASATs.(4)Finally,this dissertation proposes an automated framework for evaluating open-source Web scanner vulnerability severity using a web vulnerability detection scanner called Zed Attach Proxy(ZAP)to detect vulnerabilities in a damn vulnerable Web application(DVWA).Additionally,we use the OWASP 2017 top ten selection and prioritization scheme as our benchmark for the severity measure and ranking.The result shows that the most frequent vulnerabilities in Web applications,such as SQL injection and Cross-site scripting are of medium severe with a severity score of 8.In conclusion,this dissertation contributes significantly to the theoretical perspective of software vulnerability detection using static analysis and penetration testing.