Title : 
Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services
         
        
            Author : 
Antunes, Nuno ; Vieira, Marco
         
        
            Author_Institution : 
Dept. of Inf. Eng., Univ. of Coimbra, Coimbra, Portugal
         
        
        
        
        
        
            Abstract : 
Web services are becoming business-critical components that must provide a non-vulnerable interface to the client applications. However, previous research and practice show that many web services are deployed with critical vulnerabilities. SQL injection vulnerabilities are particularly relevant, as Web services frequently access a relational database using SQL commands. Penetration testing and static code analysis are two well-know techniques often used for the detection of security vulnerabilities. In this work we compare how effective these two techniques are on the detection of SQL injection vulnerabilities in Web services code. To understand the strengths and limitations of these techniques, we used several commercial and open source tools to detect vulnerabilities in a set of vulnerable services. Results suggest that, in general, static code analyzers are able to detect more SQL injection vulnerabilities than penetration testing tools. Another key observation is that tools implementing the same detection approach frequently detect different vulnerabilities. Finally, many tools provide a low coverage and a high false positives rate, making them a bad option for programmers.
         
        
            Keywords : 
SQL; Web services; security of data; user interfaces; SQL injection vulnerability detection; Web services; business-critical components; penetration testing; penetration testing tools; static code analysis; Application software; Automatic testing; Data security; Network servers; Performance analysis; Performance evaluation; Relational databases; Simple object access protocol; Web server; Web services; Penetration Testing; SQL Injection; Static Code Analysis; Vulnerabilities; Web Services;
         
        
        
        
            Conference_Titel : 
Dependable Computing, 2009. PRDC '09. 15th IEEE Pacific Rim International Symposium on
         
        
            Conference_Location : 
Shanghai
         
        
            Print_ISBN : 
978-0-7695-3849-5
         
        
        
            DOI : 
10.1109/PRDC.2009.54