STASEC - TOOL FOR SECURITY VULNERABILITIES DETECTION IN WEB APPLICATIONS USING STATIC ANALYSIS OF JAVA SOURCE CODE

Abstract

Web application security has become one of the most important segments in their design and implementation. Most of Web applications manipulate sensitive data and, therefore, Web applications must be adequately protected from potential attacks. Discovery of security vulnerabilities Web applications can be done in two ways: static source code analysis and dynamic analysis. Static analysis of source code means the testing of applications without its launch, analysing the source code. Cause of vulnerabilities in Web applications are often inappropriate validation of input data. In addition, Web applications can be unreliable in themselves contain a number of security vulnerabilities. The code of the application itself is considered as one of the causes of unreliability of the software. Using static analysis of Web applications potential security vulnerabilities can be detected and, thus, create assumptions for their elimination. There are specially developed tools for static analysis of source code. Existing tools for vulnerabilities detection using static analysis of source code can be divided into commercial tools and open source tools. Most of the tools offer the possibility of static analysis of applications written in just one programming language, with specific set of rules that can not be expanded. This paper presents a STASEC - a tool for security vulnerabilities detection using static analysis of Java source code. The basic feature of this tool is modularity. Implementing modules for the analysis of applications written in other programming languages tool can be extended. To save the rules that the tool uses for static analysis an XML Schema is defined. This allows a simple extension of the rule set used by the tool in the analysis.