Sensei: Enforcing secure coding guidelines in the integrated development environment

Cremer, Pieter De; Desmet, Nathan; Madou, Matias; Sutter, Bjorn De

doi:10.1002/spe.2844

Cited by 8 publications

(7 citation statements)

References 30 publications

(91 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These types of issues can lead to serious consequences. For example in 2019, DoorDash, a food delivery app with over 10m installs, stored users' credentials in plain text on users' phones, allowing any other app access to the data [29,30].…”

Section: Prevalence Of Known Vulnerabilitiesmentioning

confidence: 99%

“…We made a list of code samples with vulnerabilities from three resources: (1) OWASP's 2017 top ten web application security risks [77], (2) common weakness enumeration (CWE) 2019 top 25 most dangerous software errors [24], and (3) prior research in usable security studies with developers [1,4,28,40,57,66,71,79]. All code samples were in Java which was selected because it was a popular programming language in several platforms such as GitHub [37], Stack Overflow [76], and other programming languages indexing services [20,23,51].…”

Section: Code Samplesmentioning

confidence: 99%

“…Sensitive data exposure (DE): excessive and unnecessary logging could expose sensitive data (OWASP A3, CWE-200, and [28]). We used logging of data from a server request.…”

Section: Code Samplesmentioning

confidence: 99%

“…: data provided by users should be sanitised before use in SQL database queries (OWASP A1, CWE-89, and [28]). Our case contained an update to the database using a string concatenation including input data using the createStatement() and execute() methods.…”

Section: Sql Injection (Si)mentioning

confidence: 99%

See 3 more Smart Citations

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools' notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy. CCS CONCEPTS• Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy; Software and application security.

show abstract

Section: Prevalence Of Known Vulnerabilitiesmentioning

confidence: 99%

Section: Code Samplesmentioning

confidence: 99%

“…Sensitive data exposure (DE): excessive and unnecessary logging could expose sensitive data (OWASP A3, CWE-200, and [28]). We used logging of data from a server request.…”

Section: Code Samplesmentioning

confidence: 99%

Section: Sql Injection (Si)mentioning

confidence: 99%

See 2 more Smart Citations

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…We also can find many works on tools and techniques to prevent or detect and eliminate software bugs during the software development process [27], [28], like SonarQube [29], a platform for continuous inspection (static analysis) of code to detect bugs, vulnerabilities, and code smells. Sensei [30] is another example that tries to enforce secure coding guidelines in the integrated development environment. However, it is still very difficult for developers, if not impossible, to build software without vulnerabilities.…”

Section: Background and Related Workmentioning

confidence: 99%

Vulnerable Code Detection Using Software Metrics and Machine Learning

et al. 2020

View full text Add to dashboard Cite

Software metrics are widely-used indicators of software quality and several studies have shown that such metrics can be used to estimate the presence of vulnerabilities in the code. In this paper, we present a comprehensive experiment to study how effective software metrics can be to distinguish the vulnerable code units from the non-vulnerable ones. To this end, we use several machine learning algorithms (Random Forest, Extreme Boosting, Decision Tree, SVM Linear, and SVM Radial) to extract vulnerability-related knowledge from software metrics collected from the source code of several representative software projects developed in C/C++ (Mozilla Firefox, Linux Kernel, Apache HTTPd, Xen, and Glibc). We consider different combinations of software metrics and diverse application scenarios with different security concerns (e.g., highly critical or non-critical systems). This experiment contributes to understanding whether software metrics can effectively be used to distinguish vulnerable code units in different application scenarios, and how can machine learning algorithms help in this regard. The main observation is that using machine learning algorithms on top of software metrics helps to indicate vulnerable code units with a relatively high level of confidence for security-critical software systems (where the focus is on detecting the maximum number of vulnerabilities, even if false positives are reported), but they are not helpful for low-critical or non-critical systems due to the high number of false positives (that bring an additional development cost frequently not affordable).

show abstract