Название: Heuristic and Knowledge-Based Security Checks of Source Code Artifacts Using Community KnowledgeАвтор: Fabien Patrick Viertel
Издательство: Logos Verlag Berlin
Год: 2021
Страниц: 228
Язык: английский
Формат: pdf (true)
Размер: 10.1 MB
The goal of this book is to support developers in applying security checks using community knowledge. Artificial Intelligence (AI) approaches combined with Natural Language Processing (NLP) techniques are employed to identify security-related information from community websites such as Stack Overflow or GitHub. All security-related information is stored in a security knowledge base. This knowledge base provides code fragments that represent the community's knowledge about vulnerabilities, security-patches, and exploits. Comprehensive knowledge is required to carry out security checks on software artifacts, such as data covering known vulnerabilities and their manifestation in the source code as well as possible attack strategies.
Approaches that check software libraries and source code fragments are provided for the automated use of the data. Insecure software libraries can be detected using the National Vulnerability Database (NVD) combined with metadata and library file hash approaches introduced in this dissertation. Vulnerable source code fragments can be identified using community knowledge represented by code fragments extracted from the largest coding community websites: Stack Overflow and GitHub. A state-of-the-art clone detection approach is modified and enriched by several heuristics to enable vulnerability detection and leverage community knowledge while maintaining good performance. Using various case studies, the approaches implemented in Eclipse plugins and a JIRA plugin are adapted to the users' needs and evaluated.
Over 80% of the world’s existing information is in the form of natural language text, making up a large part of the Stack Exchange network web pages. Therefore, texts are the most valuable source of knowledge. Text classification exists in different forms such as supervised, unsupervised, and semi-supervised learning. These forms contain Machine Learning techniques such as neural networks, and can be enriched by Natural Language Processing (NLP) methods to discover patterns and automatically classify text into different types. This procedure is knowledge-intensive and reflects the use of knowledge within the textual information. Code clone detection aims to locate exact or similar code fragments, called clones, in or between the source code of software.
Eclipse Library Checker. The prototype of the library checker implements the described approaches for identifying vulnerable software libraries used within projects. Again in collaboration with a master’s thesis, I developed the plugin. Therefore, each library is analyzed for security directly after its import into a project. If a vulnerable library is detected, the present library files are highlighted with a color from the common vulnerability scoring system (CVSS) severity range.
JIRA Security Checker. In collaboration with several bachelor and master theses, I created a security plugin to add security perspectives to the project management framework JIRA. To preserve short feedback cycles on potential vulnerabilities within the implementation of supposed completed tickets, the plugin supports the sprint-specific feedback on vulnerabilities. Within a ring chart, each ring visualizes the vulnerabilities detected in the realized sprints. Security flaws are attributed to their CVSS value as expressed by the following color distribution: red, orange, yellow, gray (no scoring available), green (no issues detected) and white (ignored by member).
Скачать Heuristic and Knowledge-Based Security Checks of Source Code Artifacts Using Community Knowledge