ABSTRACT The high-level contribution of this paper is to illustrate the development of generic solution strategies to remove software security vulnerabilities that could be identified using automated tools for source code analysis on software programs (developed in Java). We use the Source Code Analyzer and Audit Workbench automated tools, developed by HP Fortify Inc., for our testing purposes. We present case studies involving a file writer program embedded with features for password validation, and connection-oriented server socket programs to discover, analyze the impact and remove the following software security vulnerabilities: (i) Hardcoded Password, (ii) Empty Password Initialization, (iii) Denial of Service, (iv) System Information Leak, (v) Unreleased Resource, (vi) Path Manipulation, and (vii) Resource Injection vulnerabilities. For each of these vulnerabilities, we describe the potential risks associated with leaving them unattended in a software program, and provide the solutions (including the code snippets in Java) that can be incorporated to remove these vulnerabilities. The proposed solutions are very generic in nature, and can be suitably modified to correct any such vulnerabilities in software developed in any other programming language.
Automated Source Code Analysis to Identify and Remove Software Security Vulnerabilities: Case Studies on Java Programs
1 file(s) 1.54 MB
Authors
Natarajan Meghanathan
- Organization : Department of Computer Science, Jackson State University, MS (USA)
- Email : natarajan.meghanathan@jsums.edu