A framework for secure coding: real-time detection of custom secure coding guideline violations

Abstract

ABSTRACT Secure Software Development refers to the process of developing software applications with minimized security vulnerabilities. In the release or maintenance phase of the Software Development Life Cycle (SDLC), fixing specific bugs is more expensive than correcting during the development phase. Therefore, it is essential to minimize software vulnerabilities within the coding phase by adhering to a set of coding best practices that are referred to as secure coding guidelines (SCG). Following secure coding guidelines manually is challenging due to the lack of knowledge among developers. Further, distributing and following a set of custom secure coding guideline provided by the organization or the security expert of the development team is more challenging and time consuming. Therefore, software developers tend to commit code with secure coding guideline violations. Currently there exist very few research studies which support detecting secure coding guideline violations on the fly in an Integrated Development Environment (IDE) along with custom rule generation. There is a research gap that needs to be addressed in this domain. This research study focuses on addressing the gaps in the specified domain. The research study proposes a prototype-based framework that focuses on providing a new rule creation mechanism aiming to filling a gap in the rule creation domain. Further, focuses on developing a mechanism to automate the process of detecting secure coding guideline violations found in a source code of a software application, defined by the proposed rule creation mechanism. The prototype is an IntelliJ IDEA based plugin and sample rules created for the evaluation are for java source code. The Artificial intelligence markup language (AIML) based proposed rule creation mechanism was able to define secure coding rules filling the existing gap, and the provided prototype-based framework was able to detect violations of these rules, benefiting the software development research area. Key phrases: Secure coding guideline violations, Secure coding rule creation, Artificial intelligence markup language, Static code analysis, Software Development Life Cycle