Loading…
A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application
Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in...
Saved in:
Main Authors: | , , , , , |
---|---|
Format: | Conference Proceeding |
Language: | English |
Subjects: | |
Online Access: | Request full text |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
cited_by | |
---|---|
cites | |
container_end_page | 6 |
container_issue | |
container_start_page | 1 |
container_title | |
container_volume | |
creator | Anis Al Hilmi, Muhammad Raswa Robiyanto, Robi Oranova Siahaan, Daniel Puspaningrum, Alifia Susanti Samosir, Hernawati |
description | Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices. |
doi_str_mv | 10.1109/ICoDSE59534.2023.10291941 |
format | conference_proceeding |
fullrecord | <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_10291941</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10291941</ieee_id><sourcerecordid>10291941</sourcerecordid><originalsourceid>FETCH-LOGICAL-i119t-3a8f24070c58b55459ef5c500a1e73966203552c1bafaeecb511f513483aab3f3</originalsourceid><addsrcrecordid>eNo10M1KAzEUQOEoCJbaN3ARH2DqvbmTmcmy9h8KClUENyUTbyQ67QyZVOnbK6irs_sWR4gbhDEimNv1tJ1t59poyscKFI0RlEGT45kYmdJUpIEqpEqdi4EqcshAqfJSjPr-HQAIDYAqBuJlIrfJpuDkejaXD83xLRxkauWME7skt-yOMaSTXLWp79okfRvlxkb7yY1cRLvnrzZ-yDvb86t85lpOuq4J7gdsD1fiwtum59Ffh-JpMX-crrLN_XI9nWyygGhSRrbyKocSnK5qrXNt2GunASxySaYoFJDWymFtvWV2tUb0GimvyNqaPA3F9a8bmHnXxbC38bT730HfM5lUIw</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application</title><source>IEEE Xplore All Conference Series</source><creator>Anis Al Hilmi, Muhammad ; Raswa ; Robiyanto, Robi ; Oranova Siahaan, Daniel ; Puspaningrum, Alifia ; Susanti Samosir, Hernawati</creator><creatorcontrib>Anis Al Hilmi, Muhammad ; Raswa ; Robiyanto, Robi ; Oranova Siahaan, Daniel ; Puspaningrum, Alifia ; Susanti Samosir, Hernawati</creatorcontrib><description>Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices.</description><identifier>EISSN: 2640-0227</identifier><identifier>EISBN: 9798350381382</identifier><identifier>DOI: 10.1109/ICoDSE59534.2023.10291941</identifier><language>eng</language><publisher>IEEE</publisher><subject>Application security ; Best practices ; Codes ; Deep learning ; Laravel ; Real-time systems ; Security ; security hotspot ; Software ; static analysis ; vulnerabilities</subject><ispartof>2023 IEEE International Conference on Data and Software Engineering (ICoDSE), 2023, p.1-6</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10291941$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>310,311,786,790,795,796,27958,54906,55283</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10291941$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Anis Al Hilmi, Muhammad</creatorcontrib><creatorcontrib>Raswa</creatorcontrib><creatorcontrib>Robiyanto, Robi</creatorcontrib><creatorcontrib>Oranova Siahaan, Daniel</creatorcontrib><creatorcontrib>Puspaningrum, Alifia</creatorcontrib><creatorcontrib>Susanti Samosir, Hernawati</creatorcontrib><title>A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application</title><title>2023 IEEE International Conference on Data and Software Engineering (ICoDSE)</title><addtitle>ICODSE</addtitle><description>Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices.</description><subject>Application security</subject><subject>Best practices</subject><subject>Codes</subject><subject>Deep learning</subject><subject>Laravel</subject><subject>Real-time systems</subject><subject>Security</subject><subject>security hotspot</subject><subject>Software</subject><subject>static analysis</subject><subject>vulnerabilities</subject><issn>2640-0227</issn><isbn>9798350381382</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2023</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNo10M1KAzEUQOEoCJbaN3ARH2DqvbmTmcmy9h8KClUENyUTbyQ67QyZVOnbK6irs_sWR4gbhDEimNv1tJ1t59poyscKFI0RlEGT45kYmdJUpIEqpEqdi4EqcshAqfJSjPr-HQAIDYAqBuJlIrfJpuDkejaXD83xLRxkauWME7skt-yOMaSTXLWp79okfRvlxkb7yY1cRLvnrzZ-yDvb86t85lpOuq4J7gdsD1fiwtum59Ffh-JpMX-crrLN_XI9nWyygGhSRrbyKocSnK5qrXNt2GunASxySaYoFJDWymFtvWV2tUb0GimvyNqaPA3F9a8bmHnXxbC38bT730HfM5lUIw</recordid><startdate>20230907</startdate><enddate>20230907</enddate><creator>Anis Al Hilmi, Muhammad</creator><creator>Raswa</creator><creator>Robiyanto, Robi</creator><creator>Oranova Siahaan, Daniel</creator><creator>Puspaningrum, Alifia</creator><creator>Susanti Samosir, Hernawati</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>20230907</creationdate><title>A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application</title><author>Anis Al Hilmi, Muhammad ; Raswa ; Robiyanto, Robi ; Oranova Siahaan, Daniel ; Puspaningrum, Alifia ; Susanti Samosir, Hernawati</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i119t-3a8f24070c58b55459ef5c500a1e73966203552c1bafaeecb511f513483aab3f3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Application security</topic><topic>Best practices</topic><topic>Codes</topic><topic>Deep learning</topic><topic>Laravel</topic><topic>Real-time systems</topic><topic>Security</topic><topic>security hotspot</topic><topic>Software</topic><topic>static analysis</topic><topic>vulnerabilities</topic><toplevel>online_resources</toplevel><creatorcontrib>Anis Al Hilmi, Muhammad</creatorcontrib><creatorcontrib>Raswa</creatorcontrib><creatorcontrib>Robiyanto, Robi</creatorcontrib><creatorcontrib>Oranova Siahaan, Daniel</creatorcontrib><creatorcontrib>Puspaningrum, Alifia</creatorcontrib><creatorcontrib>Susanti Samosir, Hernawati</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library Online</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Anis Al Hilmi, Muhammad</au><au>Raswa</au><au>Robiyanto, Robi</au><au>Oranova Siahaan, Daniel</au><au>Puspaningrum, Alifia</au><au>Susanti Samosir, Hernawati</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application</atitle><btitle>2023 IEEE International Conference on Data and Software Engineering (ICoDSE)</btitle><stitle>ICODSE</stitle><date>2023-09-07</date><risdate>2023</risdate><spage>1</spage><epage>6</epage><pages>1-6</pages><eissn>2640-0227</eissn><eisbn>9798350381382</eisbn><abstract>Automatic detection of potential vulnerabilities is critical to promoting application security awareness. It should be performed at the earliest stages of the software development life cycle, the goal being to minimize risk, regardless of the progress of various vulnerability detection techniques in program code, both static and with deep learning, website application developers need to be assisted with notifications in real time, not waiting for the entire project to be completed directly from the IDE they use to stay focused. A common problem with vulnerability detection tools is annoying false-positive results and a lack of anticipation of new or unknown vulnerabilities. Therefore, in this work, we choose an approach to identify patterns and spots where there are potential vulnerabilities, termed security hotspots, so as not to detect vulnerabilities directly. We propose a rule-based plugin integrated into the IDE, which can detect eight security hotspots in the PHP web application program code based on the Laravel framework. We have implemented a proof-of-concept extension/plugin in the popular VSCode code editor (for this initial stage, only running on Windows OS), which is developed from PHP_CodeSniffer. Experiments on 10 Laravel-based projects presented an accuracy of 98.6% and an F1 score of 87.36%. When running, the extension takes 1 ms for the shortest number of tokens, 66 tokens, and 382 ms for the most extended tokens (4,051 tokens). The result shows that this plugin can help in code analysis on Laravel-based projects. Our approach can also effectively complement existing software security best practices.</abstract><pub>IEEE</pub><doi>10.1109/ICoDSE59534.2023.10291941</doi><tpages>6</tpages></addata></record> |
fulltext | fulltext_linktorsrc |
identifier | EISSN: 2640-0227 |
ispartof | 2023 IEEE International Conference on Data and Software Engineering (ICoDSE), 2023, p.1-6 |
issn | 2640-0227 |
language | eng |
recordid | cdi_ieee_primary_10291941 |
source | IEEE Xplore All Conference Series |
subjects | Application security Best practices Codes Deep learning Laravel Real-time systems Security security hotspot Software static analysis vulnerabilities |
title | A Static IDE Plugin to Detect Security Hotspot for Laravel Framework Based Web Application |
url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-09-23T01%3A31%3A49IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=A%20Static%20IDE%20Plugin%20to%20Detect%20Security%20Hotspot%20for%20Laravel%20Framework%20Based%20Web%20Application&rft.btitle=2023%20IEEE%20International%20Conference%20on%20Data%20and%20Software%20Engineering%20(ICoDSE)&rft.au=Anis%20Al%20Hilmi,%20Muhammad&rft.date=2023-09-07&rft.spage=1&rft.epage=6&rft.pages=1-6&rft.eissn=2640-0227&rft_id=info:doi/10.1109/ICoDSE59534.2023.10291941&rft.eisbn=9798350381382&rft_dat=%3Cieee_CHZPO%3E10291941%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i119t-3a8f24070c58b55459ef5c500a1e73966203552c1bafaeecb511f513483aab3f3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=10291941&rfr_iscdi=true |