Memory Error Detection in Security Testing

04/09/2021
by   Nasif Imtiaz, et al.
0

We study 10 C/C++ projects that have been using a static analysis security testing tool. We analyze the historical scan reports generated by the tool and study how frequently memory-related alerts appeared. We also studied the subsequent developer action on those alerts. We also look at the CVEs published for these projects within the study timeline and investigate how many of them are memory related. Moreover, for one of this project, Linux, we investigate if the involved flaws in the CVE were identified by the studied security tool when they were first introduced in the code. We found memory related alerts to be frequently detected during static analysis security testing. However, based on how actively the project developers are monitoring the tool alerts, these errors can take years to get fixed. For the ten studied projects, we found a median lifespan of 77 days before memory alerts get fixed. We also find that around 40 memory. These memory CVEs have higher CVSS severity ratings and likelihood of having an exploit script public than non-memory CVEs. We also found only 2.5 Linux CVEs were possibly detected during static analysis security testing.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

12/20/2021

How Do Developers Deal with Security Issue Reports on GitHub?

Security issue reports are the primary means of informing development te...
10/21/2020

Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild

The Go programming language aims to provide memory and thread safety thr...
10/12/2021

Does it matter who pays back Technical Debt? An empirical study of self-fixed TD

Context: Technical Debt (TD) can be paid back either by those that incur...
02/13/2021

Data-Driven Vulnerability Detection and Repair in Java Code

Java platform provides various APIs to facilitate secure coding. However...
09/05/2020

Teddy: Automatic Recommendation of Pythonic Idiom Usage For Pull-Based Software Projects

Pythonic code is idiomatic code that follows guiding principles and prac...
09/09/2019

Análise de Segurança Baseada em Roles para Fábricas de Software

Most software factories contain applications with sensitive information ...
10/08/2021

Co-link analysis as a monitoring tool: A webometric use case to map the web relationships of research projects

This study explores the societal embeddedness of the websites of researc...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.