Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

9-2017

Abstract

JoanAudit is a static analysis tool to assist security auditors in auditing Web applications and Web services for common injection vulnerabilities during software development. It automatically identifies parts of the program code that are relevant for security and generates an HTML report to guide security auditors audit the source code in a scalable way. JoanAudit is configured with various security-sensitive input sources and sinks relevant to injection vulnerabilities and standard sanitization procedures that prevent these vulnerabilities. It can also automatically fix some cases of vulnerabilities in source code — cases where inputs are directly used in sinks without any form of sanitization — by using standard sanitization procedures. Our evaluation shows that by using JoanAudit, security auditors are required to inspect only 1% of the total code for auditing common injection vulnerabilities. The screen-cast demo is available at https://github.com/julianthome/joanaudit.

Keywords

Security auditing, static analysis, vulnerability, automated code fixing

Discipline

Programming Languages and Compilers | Software Engineering

Research Areas

Cybersecurity

Publication

Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, Paderborn, Germany, September 4–8

First Page

1004

Last Page

1008

Identifier

10.1145/3106237.3122822

City or Country

Paderborn, Germany

Additional URL

https://doi.org/10.1145/3106237.3122822

Download

Share

COinS