A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application

Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in...

Full description

Saved in:
Bibliographic Details
Main Authors: Anis Al Hilmi, Muhammad, Raswa, Robiyanto, Robi, Oranova Siahaan, Daniel, Puspaningrum, Alifia, Susanti Samosir, Hernawati
Format: Conference Proceeding
Language:English
Subjects:
Application security
Best practices
Codes
Deep learning
Laravel
Real-time systems
Security
security hotspot
Software
static analysis
vulnerabilities
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page 6
container_issue
container_start_page 1
container_title
container_volume
creator Anis Al Hilmi, Muhammad
Raswa
Robiyanto, Robi
Oranova Siahaan, Daniel
Puspaningrum, Alifia
Susanti Samosir, Hernawati
description Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices.
doi_str_mv 10.1109/ICoDSE59534.2023.10291941
format conference_proceeding
fullrecord <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_10291941</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10291941</ieee_id><sourcerecordid>10291941</sourcerecordid><originalsourceid>FETCH-LOGICAL-i119t-3a8f24070c58b55459ef5c500a1e73966203552c1bafaeecb511f513483aab3f3</originalsourceid><addsrcrecordid>eNo10M1KAzEUQOEoCJbaN3ARH2DqvbmTmcmy9h8KClUENyUTbyQ67QyZVOnbK6irs_sWR4gbhDEimNv1tJ1t59poyscKFI0RlEGT45kYmdJUpIEqpEqdi4EqcshAqfJSjPr-HQAIDYAqBuJlIrfJpuDkejaXD83xLRxkauWME7skt-yOMaSTXLWp79okfRvlxkb7yY1cRLvnrzZ-yDvb86t85lpOuq4J7gdsD1fiwtum59Ffh-JpMX-crrLN_XI9nWyygGhSRrbyKocSnK5qrXNt2GunASxySaYoFJDWymFtvWV2tUb0GimvyNqaPA3F9a8bmHnXxbC38bT730HfM5lUIw</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application</title><source>IEEE Xplore All Conference Series</source><creator>Anis Al Hilmi, Muhammad ; Raswa ; Robiyanto, Robi ; Oranova Siahaan, Daniel ; Puspaningrum, Alifia ; Susanti Samosir, Hernawati</creator><creatorcontrib>Anis Al Hilmi, Muhammad ; Raswa ; Robiyanto, Robi ; Oranova Siahaan, Daniel ; Puspaningrum, Alifia ; Susanti Samosir, Hernawati</creatorcontrib><description>Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices.</description><identifier>EISSN: 2640-0227</identifier><identifier>EISBN: 9798350381382</identifier><identifier>DOI: 10.1109/ICoDSE59534.2023.10291941</identifier><language>eng</language><publisher>IEEE</publisher><subject>Application security ; Best practices ; Codes ; Deep learning ; Laravel ; Real-time systems ; Security ; security hotspot ; Software ; static analysis ; vulnerabilities</subject><ispartof>2023 IEEE International Conference on Data and Software Engineering (ICoDSE), 2023, p.1-6</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10291941$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>310,311,786,790,795,796,27958,54906,55283</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10291941$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Anis Al Hilmi, Muhammad</creatorcontrib><creatorcontrib>Raswa</creatorcontrib><creatorcontrib>Robiyanto, Robi</creatorcontrib><creatorcontrib>Oranova Siahaan, Daniel</creatorcontrib><creatorcontrib>Puspaningrum, Alifia</creatorcontrib><creatorcontrib>Susanti Samosir, Hernawati</creatorcontrib><title>A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application</title><title>2023 IEEE International Conference on Data and Software Engineering (ICoDSE)</title><addtitle>ICODSE</addtitle><description>Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices.</description><subject>Application security</subject><subject>Best practices</subject><subject>Codes</subject><subject>Deep learning</subject><subject>Laravel</subject><subject>Real-time systems</subject><subject>Security</subject><subject>security hotspot</subject><subject>Software</subject><subject>static analysis</subject><subject>vulnerabilities</subject><issn>2640-0227</issn><isbn>9798350381382</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2023</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNo10M1KAzEUQOEoCJbaN3ARH2DqvbmTmcmy9h8KClUENyUTbyQ67QyZVOnbK6irs_sWR4gbhDEimNv1tJ1t59poyscKFI0RlEGT45kYmdJUpIEqpEqdi4EqcshAqfJSjPr-HQAIDYAqBuJlIrfJpuDkejaXD83xLRxkauWME7skt-yOMaSTXLWp79okfRvlxkb7yY1cRLvnrzZ-yDvb86t85lpOuq4J7gdsD1fiwtum59Ffh-JpMX-crrLN_XI9nWyygGhSRrbyKocSnK5qrXNt2GunASxySaYoFJDWymFtvWV2tUb0GimvyNqaPA3F9a8bmHnXxbC38bT730HfM5lUIw</recordid><startdate>20230907</startdate><enddate>20230907</enddate><creator>Anis Al Hilmi, Muhammad</creator><creator>Raswa</creator><creator>Robiyanto, Robi</creator><creator>Oranova Siahaan, Daniel</creator><creator>Puspaningrum, Alifia</creator><creator>Susanti Samosir, Hernawati</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>20230907</creationdate><title>A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application</title><author>Anis Al Hilmi, Muhammad ; Raswa ; Robiyanto, Robi ; Oranova Siahaan, Daniel ; Puspaningrum, Alifia ; Susanti Samosir, Hernawati</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i119t-3a8f24070c58b55459ef5c500a1e73966203552c1bafaeecb511f513483aab3f3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Application security</topic><topic>Best practices</topic><topic>Codes</topic><topic>Deep learning</topic><topic>Laravel</topic><topic>Real-time systems</topic><topic>Security</topic><topic>security hotspot</topic><topic>Software</topic><topic>static analysis</topic><topic>vulnerabilities</topic><toplevel>online_resources</toplevel><creatorcontrib>Anis Al Hilmi, Muhammad</creatorcontrib><creatorcontrib>Raswa</creatorcontrib><creatorcontrib>Robiyanto, Robi</creatorcontrib><creatorcontrib>Oranova Siahaan, Daniel</creatorcontrib><creatorcontrib>Puspaningrum, Alifia</creatorcontrib><creatorcontrib>Susanti Samosir, Hernawati</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library Online</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Anis Al Hilmi, Muhammad</au><au>Raswa</au><au>Robiyanto, Robi</au><au>Oranova Siahaan, Daniel</au><au>Puspaningrum, Alifia</au><au>Susanti Samosir, Hernawati</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application</atitle><btitle>2023 IEEE International Conference on Data and Software Engineering (ICoDSE)</btitle><stitle>ICODSE</stitle><date>2023-09-07</date><risdate>2023</risdate><spage>1</spage><epage>6</epage><pages>1-6</pages><eissn>2640-0227</eissn><eisbn>9798350381382</eisbn><abstract>Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices.</abstract><pub>IEEE</pub><doi>10.1109/ICoDSE59534.2023.10291941</doi><tpages>6</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2640-0227
ispartof 2023 IEEE International Conference on Data and Software Engineering (ICoDSE), 2023, p.1-6
issn 2640-0227
language eng
recordid cdi_ieee_primary_10291941
source IEEE Xplore All Conference Series
subjects Application security
Best practices
Codes
Deep learning
Laravel
Real-time systems
Security
security hotspot
Software
static analysis
vulnerabilities
title A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-09-23T01%3A31%3A49IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=A%20Static%20IDE%20Plugin%20to%20Detect%20Security%20Hotspot%20for%20Laravel%20Framework%20Based%20Web%20Application&rft.btitle=2023%20IEEE%20International%20Conference%20on%20Data%20and%20Software%20Engineering%20(ICoDSE)&rft.au=Anis%20Al%20Hilmi,%20Muhammad&rft.date=2023-09-07&rft.spage=1&rft.epage=6&rft.pages=1-6&rft.eissn=2640-0227&rft_id=info:doi/10.1109/ICoDSE59534.2023.10291941&rft.eisbn=9798350381382&rft_dat=%3Cieee_CHZPO%3E10291941%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i119t-3a8f24070c58b55459ef5c500a1e73966203552c1bafaeecb511f513483aab3f3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=10291941&rfr_iscdi=true