TY - GEN
T1 - A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application
AU - Anis Al Hilmi, Muhammad
AU - Raswa,
AU - Robiyanto, Robi
AU - Oranova Siahaan, Daniel
AU - Puspaningrum, Alifia
AU - Susanti Samosir, Hernawati
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices. copy; 2023 IEEE.
AB - Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices. copy; 2023 IEEE.
KW - Laravel
KW - security
KW - security hotspot
KW - static analysis
KW - vulnerabilities
UR - http://www.scopus.com/inward/record.url?scp=85177431842&partnerID=8YFLogxK
U2 - 10.1109/ICoDSE59534.2023.10291941
DO - 10.1109/ICoDSE59534.2023.10291941
M3 - Conference contribution
AN - SCOPUS:85177431842
T3 - Proceedings of 2023 IEEE International Conference on Data and Software Engineering, ICoDSE 2023
SP - 1
EP - 6
BT - Proceedings of 2023 IEEE International Conference on Data and Software Engineering, ICoDSE 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2023 IEEE International Conference on Data and Software Engineering, ICoDSE 2023
Y2 - 7 September 2023 through 8 September 2023
ER -