The present invention relates to application security. More specifically the present invention relates to fixing security vulnerabilities in application's source code.
Web application security issues pose an imminent and growing threat. Caused primarily by security bugs in the code of an application, web application security vulnerabilities may allow an unauthorized person to view personal and confidential data of another. Security vulnerabilities may let hackers run queries on a back-end database, and possibly even take over a web server entirely.
Most organizations leave security issues to be handled by a dedicated security team, which tests the application before it goes live typically well after the application development and design are finished. Fixing security bugs then requires those teams to push the issues back to developers to perform a full iteration of late code changes, resulting in very high costs to fix what are often the simplest security bugs.
Input validation vulnerabilities amount to a majority of total cyber vulnerabilities and Structured Query Language (SQL) injection is a common example of such input vulnerability. SQL is a standard language for accessing and manipulating databases. SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. Vulnerability is said to be present when user input is incorrectly filtered for string literal escape character embedded in SQL statements and may run query on the application back-end database. SQL injection attacks are also known as SQL insertion attacks and in both instances a tainted data injected by a user to the running application is the active agent of the attack.
Three dominant approaches were developed to help the development teams cope with web application security: dynamic analysis, static analysis and run-time analysis. Dynamic analysis tests the running application from the outside. The application is tested as a closed entity. Dynamic analysis does involve looking into what happens within the application. Static analysis tests the application code directly and is similar to an automated code review. Run-time analysis tools empower dynamic and static analysis using the application code to produce the dynamic analysis tests and to monitor the application as different events occur.
Several known products and academic publications focus on static analysis for web application security. Static analysis tools scan the application code using a predefined set of security rules and candidate vulnerabilities detected are reported to the user. In mature industrial tools the static analyzer report is accompanied by generic remediation information, which proposes ways in which the developer can fix the code so as to remove the reported security vulnerability. The development team needs to implement and validate such code fixes manually, which is a subtle and error-prone task.
Since Web applications developers far outnumber security experts, typically only the most critical applications are tested with such static or dynamic analysis tools and the remaining web applications are released with high likelihood that security issues will go into production undetected.