EFFECTIVNESS AND IMPROVEMENT OF SAST IN THE CONTEXT OF SQL INJECTION VULNERABILITIES
DOI:
https://doi.org/10.32782/IT/2024-3-16Keywords:
vulnerabilities, SAST tools, SQL injectionsAbstract
Identifying security vulnerabilities early in development is critical to ensuring software reliability. Static Security Analysis (SAST) is widely used to identify potential vulnerabilities in code. However, the complexity of modern applications and the use of dynamic constructs in the code create challenges for SAST tools, especially in detecting SQL Injection vulnerabilities that can lead to unauthorized access to data. The article aims to investigate the effectiveness of the static security analysis method (SAST) in detecting vulnerabilities of the SQL Injection type and, based on experimental analysis, to propose improvements to this method to increase its effectiveness. The methodology consists of conducting an experimental analysis of existing SAST tools for the ability to detect SQL Injection vulnerabilities. A set of test applications with known vulnerabilities was used to evaluate performance. Based on the obtained results, the main problems were identified and improvements to the static analysis method were developed, which were implemented and tested to evaluate their effectiveness. Scientific methods of synthesis, analysis, and comparison are applied. The scientific novelty consists in the development and implementation of improvements to the method of static security analysis, which increases the effectiveness of detecting vulnerabilities of the SQL Injection type. New algorithms for the analysis of dynamic structures in the code and processing of complex query patterns to databases, which were previously unavailable for standard SAST tools, are proposed. Conclusions. The proposed improvements to the method of static security analysis allow to significantly improve the detection of vulnerabilities of the SQL Injection type, which is confirmed by the results of experimental analysis. This emphasizes the importance of developing and implementing advanced techniques in SAST tools to ensure a high level of software security.
References
Cavelty M. D. The Politics of Cyber-Security. New York, 2024. P. 224. DOI: org/10.4324/9781003497080 (дата звернення: 19.08.2024).
Luo C., Li P., Meng W. T. TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security USA. 07 November, 2022. P. 2175–2188. DOI: 10.1145/3548606.3559391.
Wang Y., Wang D., Zhao W., Liu Y. Detecting SQL Vulnerability Attack Based on the Dynamic and Static Analysis Technology. IEEE 39th Annual Computer Software and Applications Conference. 2015. P. 604–607. DOI: 10.1109/COMPSAC.2015.277.
Charoenwet W., Thongtanunam P., Pham V., & Treude, C. An Empirical Study of Static Analysis Tools for Secure Code Review. In Proceedings of ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM. 2024. New York P. 13. DOI: 10.48550/arXiv.2407.12241.
Do L. N. Q., Wright J. R., Ali K. Why Do Software Developers Use Static Analysis Tools? A User-Centered Study of Developer Needs and Motivations. IEEE Transactions on Software Engineering. 2022. Vol. 48, № 3, P. 835–847. DOI: 10.1109/TSE.2020.3004525.
Yuan Ye, Yuliang Lu, Kailong Zhu, Hui Huang, Lu Yu and Jiazhen Zhao. A Static Detection Method for SQL Injection Vulnerability Based on Program Transformation. Applied Sciences. 2023. Vol. 13, № 21. DOI: 10.3390/app132111763.
NVD. National vulnerability database. 2023. URL: https://nvd.nist.gov/ (дата звернення: 19.08.2024).
Chen Z., Cao J. VMCTE: visualization-based malware classification using transfer and ensemble learning. Computers, Materials & Continua. 2023. № 75(2), P. 4445–4465. DOI:10.32604/cmc.2023.038639.
NIST. National institute of standards and technology. URL: https://www.nist.gov/(дата звернення: 19.08.2024).
Vassallo C., Panichella S., Palomba F., Proksch S., Zaidman A., Gall H. C., Context is king: The developer perspective on the usage of static analysis tools. IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). 2018. P. 38–49. DOI: 10.1109/SANER.2018.8330195.
Smith M., Naiakshina A, Danilova A., Gerlitz E. On conducting security developer studies with cs students: Examining a password-storage study with cs students, freelancers, and company developers. Proceedings of the Conference on Human Factors in Computing Systems, Association for Computing Machinery. 2020. P. 1–12. DOI: 10.1145/3290605.3300370.
Mehrpour S., LaToza T. D. Can static analysis tools find more defects? Empir Software Eng. 2023. Vol.28. № 5. DOI:10.1007/s10664-022-10234.
Shen S., Kolluri A., Dong Z., Saxena P., Roychoudhury A. Localizing vulnerabilities statistically from one exploit. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 2021. P. 537–549. DOI:10.1145/3433210.3437528.
Tufano R., Dabić O., Mastropaolo A., Ciniselli M. and Bavota G. Code review automation: strengths and weaknesses of the state of the art. IEEE Transactions on Software Engineering, 2023. P. 1–16. DOI: 10.1109/TSE.2023.3348172.
Esposito M., Falaschi V., Falessi D. An Extensive Comparison of Static Application Security Testing Tools.2024. DOI: 10.13140/RG.2.2.12326.54085.
Esposito M., Moreschini S., Lenarduzzi V., Hästbacka D., Falessi D. Can we trust the default vulnerabilities severity? In IEEE 23rd International Working Conference on Source Code Analysis and Manipulation (SCAM). 2023. P. 265–270. DOI: 10.1109/SCAM59687.2023.00037.
Lysenko S, Lysenko S., Bobrovnikova K., Kharchenko V., Savenko O. IoT multi-vector cyberattack detection based on machine learning algorithms: traffic features analysis, experiments, and efficiency. Algorithms. 2022. Vol 15. № 7. P. 239. DOI: 10.3390/a15070239
Website of Our Study. Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? 2024. URL: https://sites.google.com/view/sc-sast-study-fse2024/home (Accessed on 29/07/2024).
Azman M., Marhusin M. F., Sulaiman R. Machine Learning – Based Technique to Detect SQL Injection Attack. Journal of Computer Science. 2021. № 17. P. 296–303. DOI:10.3844/jcssp.2021.296.303.
Medeiros P. I., Fonseca J., Neves N., Correia M., Vieira M. Benchmarking Static Analysis Tools for Web Security. in IEEE Transactions on Reliability. 2018. V. 67. № 3. P. 1159–1175. DOI: 10.1109/TR.2018.2839339.
Charoenwet W., Thongtanunam P., Pham V. T., Treude C. An Empirical Study of Static Analysis Tools for Secure Code Review. In Proceedings of ACM SIGSOFT International Symposium on Software Testing and Analysis. 2024. P. 13 DOI: 10.48550/arXiv.2407.12241.
Savenko B., Lysenko S., Bobrovnikova K., Savenko O., Markowsky G. Detection DNS tunneling botnets. 11th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 22 September, 2021. P. 64–69. DOI: 10.1109/IDAACS53288.2021.9661022
