Empirical comparison of the performance of popular vulnerability detection tools II

Vulnerability Detection tools are frequently known as the universal remedy to vulnerabilities in an application. However, these tools could only detect vulnerabilities that exist in the application codes that were written by the developers themselves. Today, developers used multiple open-source comp...

Full description

Saved in:
Bibliographic Details
Main Author: Yiu, Hong Sum
Other Authors: Liu Yang
Format: Final Year Project
Language:English
Published: 2019
Subjects:
Online Access:http://hdl.handle.net/10356/76898
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
Description
Summary:Vulnerability Detection tools are frequently known as the universal remedy to vulnerabilities in an application. However, these tools could only detect vulnerabilities that exist in the application codes that were written by the developers themselves. Today, developers used multiple open-source components to increase the efficiency of their development. These open-source components contain vulnerabilities that developers are unaware of. Software Composition Analysis tools were used to detect potential vulnerabilities that exist in these open-source components. The main problem was that there would always be a difference between different tools such as accuracy, efficiency, and ease of use. Thus, working with the wrong tool could potentially result in vulnerabilities left undetected for attackers to exploit. In this research, a further study was made to understand the difference between the Software Composition Analysis tools in terms of precision and coverage. A benchmarking approach was used to assess and evaluate the performance of Software Analysis Composition Tools built with different Continuous Integration Tools. The tools would give developers an understanding of how different libraries cause hidden vulnerabilities during the building stage. Results from this research would allow developers to have a clearer picture as to which tools suit the language and scenario they are involved in.