JoanAudit: A tool for auditing common injection vulnerabilities

JoanAudit is a static analysis tool to assist security auditors in auditing Web applications and Web services for common injection vulnerabilities during software development. It automatically identifies parts of the program code that are relevant for security and generates an HTML report to guide s...

Full description

Saved in:
Bibliographic Details
Main Authors: THOME, Julian, SHAR, Lwin Khin, BIANCULLI, Domenico, BRIAND, Lionel
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2017
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/4776
https://ink.library.smu.edu.sg/context/sis_research/article/5779/viewcontent/JoanAudit_esec_fse2017_demo.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5779
record_format dspace
spelling sg-smu-ink.sis_research-57792020-01-16T10:23:25Z JoanAudit: A tool for auditing common injection vulnerabilities THOME, Julian SHAR, Lwin Khin BIANCULLI, Domenico BRIAND, Lionel JoanAudit is a static analysis tool to assist security auditors in auditing Web applications and Web services for common injection vulnerabilities during software development. It automatically identifies parts of the program code that are relevant for security and generates an HTML report to guide security auditors audit the source code in a scalable way. JoanAudit is configured with various security-sensitive input sources and sinks relevant to injection vulnerabilities and standard sanitization procedures that prevent these vulnerabilities. It can also automatically fix some cases of vulnerabilities in source code — cases where inputs are directly used in sinks without any form of sanitization — by using standard sanitization procedures. Our evaluation shows that by using JoanAudit, security auditors are required to inspect only 1% of the total code for auditing common injection vulnerabilities. The screen-cast demo is available at https://github.com/julianthome/joanaudit. 2017-09-08T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4776 info:doi/10.1145/3106237.3122822 https://ink.library.smu.edu.sg/context/sis_research/article/5779/viewcontent/JoanAudit_esec_fse2017_demo.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Security auditing static analysis vulnerability automated code fixing Programming Languages and Compilers Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Security auditing
static analysis
vulnerability
automated code fixing
Programming Languages and Compilers
Software Engineering
spellingShingle Security auditing
static analysis
vulnerability
automated code fixing
Programming Languages and Compilers
Software Engineering
THOME, Julian
SHAR, Lwin Khin
BIANCULLI, Domenico
BRIAND, Lionel
JoanAudit: A tool for auditing common injection vulnerabilities
description JoanAudit is a static analysis tool to assist security auditors in auditing Web applications and Web services for common injection vulnerabilities during software development. It automatically identifies parts of the program code that are relevant for security and generates an HTML report to guide security auditors audit the source code in a scalable way. JoanAudit is configured with various security-sensitive input sources and sinks relevant to injection vulnerabilities and standard sanitization procedures that prevent these vulnerabilities. It can also automatically fix some cases of vulnerabilities in source code — cases where inputs are directly used in sinks without any form of sanitization — by using standard sanitization procedures. Our evaluation shows that by using JoanAudit, security auditors are required to inspect only 1% of the total code for auditing common injection vulnerabilities. The screen-cast demo is available at https://github.com/julianthome/joanaudit.
format text
author THOME, Julian
SHAR, Lwin Khin
BIANCULLI, Domenico
BRIAND, Lionel
author_facet THOME, Julian
SHAR, Lwin Khin
BIANCULLI, Domenico
BRIAND, Lionel
author_sort THOME, Julian
title JoanAudit: A tool for auditing common injection vulnerabilities
title_short JoanAudit: A tool for auditing common injection vulnerabilities
title_full JoanAudit: A tool for auditing common injection vulnerabilities
title_fullStr JoanAudit: A tool for auditing common injection vulnerabilities
title_full_unstemmed JoanAudit: A tool for auditing common injection vulnerabilities
title_sort joanaudit: a tool for auditing common injection vulnerabilities
publisher Institutional Knowledge at Singapore Management University
publishDate 2017
url https://ink.library.smu.edu.sg/sis_research/4776
https://ink.library.smu.edu.sg/context/sis_research/article/5779/viewcontent/JoanAudit_esec_fse2017_demo.pdf
_version_ 1770575027826065408