A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application

Muhammad Anis Al Hilmi*, Raswa, Robi Robiyanto, Daniel Oranova Siahaan, Alifia Puspaningrum, Hernawati Susanti Samosir

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices. copy; 2023 IEEE.

Original languageEnglish
Title of host publicationProceedings of 2023 IEEE International Conference on Data and Software Engineering, ICoDSE 2023
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1-6
Number of pages6
ISBN (Electronic)9798350381382
DOIs
Publication statusPublished - 2023
Event2023 IEEE International Conference on Data and Software Engineering, ICoDSE 2023 - Hybrid, Toba, Indonesia
Duration: 7 Sept 20238 Sept 2023

Publication series

NameProceedings of 2023 IEEE International Conference on Data and Software Engineering, ICoDSE 2023

Conference

Conference2023 IEEE International Conference on Data and Software Engineering, ICoDSE 2023
Country/TerritoryIndonesia
CityHybrid, Toba
Period7/09/238/09/23

Keywords

  • Laravel
  • security
  • security hotspot
  • static analysis
  • vulnerabilities

Fingerprint

Dive into the research topics of 'A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application'. Together they form a unique fingerprint.

Cite this