Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

9-2012

Abstract

Software defect prediction studies have shown that defect predictors built from static code attributes are useful and effective. On the other hand, to mitigate the threats posed by common web application vulnerabilities, many vulnerability detection approaches have been proposed. However, finding alternative solutions to address these risks remains an important research problem. As web applications generally adopt input validation and sanitization routines to prevent web security risks, in this paper, we propose a set of static code attributes that represent the characteristics of these routines for predicting the two most common web application vulnerabilities—SQL injection and cross site scripting. In our experiments, vulnerability predictors built from the proposed attributes detected more than 80% of the vulnerabilities in the test subjects at low false alarm rates.

Keywords

Defect prediction, static code attributes, web application vulnerabilities, input validation and sanitization, empirical study

Discipline

Information Security | Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

ASE '12: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering: Essen, Germany, September 3-7

First Page

310

Last Page

313

ISBN

9781450312042

Identifier

10.1145/2351676.2351733

Publisher

ACM

City or Country

New York

Copyright Owner and License

Publisher

Additional URL

https://doi.org/10.1145/2351676.2351733

Download

Share

COinS