Title :
Trustworthiness Benchmarking of Web Applications Using Static Code Analysis
Author :
Neto, Afonso Araùjo ; Vieira, Marco
Author_Institution :
CISUC, Univ. of Coimbra, Coimbra, Portugal
Abstract :
Benchmarking the security of web applications is complex and, although there are many proposals of metrics, no consensual quantitative security metric has been proposed so far. Static analysis is an effective approach for detecting vulnerabilities, but the complexity of applications and the large variety of vulnerabilities prevent any single tool from being foolproof. In this application paper we investigate the hypothesis of combining the output of multiple static code analyzers to define metrics for comparing the trustworthiness of web applications. Various experiments, including a benchmarking campaign over seven distinct open source web forums, show that the raw number of vulnerabilities reported by a set of tools allows rough trustworthiness comparison. We also study the use of normalization and false positive rate estimation to calibrate the output of each tool. Results show that calibration allows computing a very accurate metric that can be used to easily and automatically compare different applications.
Keywords :
Internet; security of data; Web applications; consensual quantitative security metric; static code analysis; trustworthiness benchmarking; Benchmark testing; Computer bugs; Encoding; Estimation; Measurement; Security; Web services; benchmarking; static analysis; trust-based metrics; trustworthiness; web applications;
Conference_Titel :
Availability, Reliability and Security (ARES), 2011 Sixth International Conference on
Conference_Location :
Vienna
Print_ISBN :
978-1-4577-0979-1
Electronic_ISBN :
978-0-7695-4485-4
DOI :
10.1109/ARES.2011.37
