Framework for Secure Coding :An algorithmic approach for real-time detection of secure coding guideline violations

Abstract

Secure Software Development refers to the process of developing software applications with minimised security vulnerabilities. In the release or maintenance phase of the Software Development Life Cycle(SDLC), fixing specific bugs is very expensive than correcting such issues during the coding or development phase. Therefore it is essential to minimise these software defects within the coding phase itself by adhering to a set of coding best practices that are referred as secure coding guidelines. Following of these guidelines has been a challenging and timeconsuming task due to the lack of knowledge among developers regarding such guidelines and the fact that currently there exists only a manual mechanism of checking these guidelines using a checklist. This dissertation proposes a plugin-based framework for IntelliJ IDEA Integrated Development Environment that focuses on developing a mechanism to automate the process of detecting secure coding guideline violations found in the source code of a software application. The framework is based on the secure coding guidelines introduced by Software Engineering Institute Computer Emergency Response Team (SEI CERT) known as the SEI CERT secure coding rules. These secure coding rules include guidelines for avoiding coding and implementation errors, as well as low-level design errors. In order to implement the secure coding rules, the rules were classified into three granularity levels namely Method, Class and Package level. A total of 15 secure coding rules, five from each granularity level have been implemented in this framework in the form of violation detection algorithms. The source code fragments associated with each violation detection algorithm are obtained via the Abstract Syntax Tree generated by the parser and are stored in data structures such as ArrayLists and HashMaps. Violation detection algorithms use these stored source code fragments to detect secure coding rule violations. A significant feature of this framework is the extensibility mechanism in which violation detection algorithms could be added with minimal effort during future development of the framework. Performance optimisation has also been achieved to minimise resource consumption and reduce latency, by improved system design with the support of software design patterns. Apart from detecting secure coding rule violations in the source code, the framework will also provide the necessary countermeasures to overcome those violations. In addition, the framework could be used as a teaching tool for users who are unaware of the secure coding rules due to its features such as tooltips, tools windows, syntax highlighting. Using this framework, a software developer would be able to adhere to secure coding rules and ensure the security aspect of a software application. The secure coding plugin-based framework has been deployed to the JetBrains plugin repository enabling to be downloaded by the required users.