A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application

Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in...

Full description

Saved in:
Bibliographic Details
Main Authors: Anis Al Hilmi, Muhammad, Raswa, Robiyanto, Robi, Oranova Siahaan, Daniel, Puspaningrum, Alifia, Susanti Samosir, Hernawati
Format: Conference Proceeding
Language:English
Subjects:
Application security
Best practices
Codes
Deep learning
Laravel
Real-time systems
Security
security hotspot
Software
static analysis
vulnerabilities
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices.
ISSN:2640-0227
DOI:10.1109/ICoDSE59534.2023.10291941