Analyze vulnerabilities of source codes published on open forums

Abstract

Web applications and mobile applications are extremely popular in the society and also became a part of the human lives. These applications are used by different institutions including gov-ernments for different purposes allowing them to access sensitive information and perform crit-ical operations. Software developers are using many development languages to develop these applications by writing thousands of lines of code, with or without security in mind. Common practice among software developers is that they use open forums to share, suggest code exam-ples and also to look for a suggestion for a problem they face or situation they need to address. Since these open forums are extremely popular among developer community, they tend to use those source examples, for the development of their applications. Because of that source code examples in open forums make direct impact on real world software application, for developers, it is important to have a method of verifying these source code samples and make sure they are free of security vulnerabilities before using. Project aims to solve this problem by developing a simple, user friendly tool, which is capable of analyzing the security vulnerabilities of the source code samples published on open forums. The methodology used is, download large set of source code samples from an open forum, perform a static analysis using a reliable commercial tool, extract the results and create a knowledge-base of vulnerable source snippets, which can be used by the developed tool, to detect vulnerabilities of a particular source code block. Stackoverflow is selected as the open forum and five widely used programming languages, CSharp, Java, PHP, Python and JavaScript were selected for the analysis. Checkmarx is the static analysis tool selected. Over twenty-seven thousand source code samples used for the analysis and over thousand four hundred vulnera-bilities detected by Checkmarx. The Project delivers five main components. Python based crawler used to crawl through Stacko-verflow and download source code samples. Data importer component, developed using csharp, used to import the results given by Checkmarx in to the knowledge base. Dashboard with vari-ous graphs and charts to show the results of the analysis is also developed using csharp. Chrome browser plugin, which is capable of analyzing a selected source code block, for potential vul-nerabilities by referring the knowledge base, is developed as the tool. Finally, MS SQL server used to create the knowledge base which holds all the vulnerability data provided by Checkmarx. The solution can influence the developers to write more secure code during the development of the project and also make them aware about the security vulnerabilities, which will ultimately make the software rugged. Project would be much more interest for those who involve in soft-ware development related areas and also for application security analysts who are interested and very keen on static analysis.