Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services

被引:35
作者
Antunes, Nuno [1 ]
Vieira, Marco [1 ]
机构
[1] Univ Coimbra, Dept Informat Engn, CISUC, Coimbra, Portugal
来源
IEEE 15TH PACIFIC RIM INTERNATIONAL SYMPOSIUM ON DEPENDABLE COMPUTING, PROCEEDINGS | 2009年
关键词
Security; Vulnerabilities; SQL Injection; Penetration Testing; Static Code Analysis; Web Services;
D O I
10.1109/PRDC.2009.54
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Web services are becoming business-critical components that must provide a non-vulnerable interface to the client applications. However, previous research and practice show that many web services are deployed with critical vulnerabilities. SQL Injection vulnerabilities are particularly relevant, as web services frequently access a relational database using SQL commands. Penetration testing and static code analysis are two well-know techniques often used for the detection of security vulnerabilities. In this work we compare how effective these two techniques are on the detection of SQL Injection vulnerabilities in web services code. To understand the strengths and limitations of these techniques, we used several commercial and open source tools to detect vulnerabilities in a set of vulnerable services. Results suggest that, in general, static code analyzers are able to detect more SQL Injection vulnerabilities than penetration testing tools. Another key observation is that tools implementing the same detection approach frequently detect different vulnerabilities. Finally, man), tools provide a low coverage and a high false positives rate, making them a bad option for programmers.
引用
收藏
页码:301 / 306
页数:6
相关论文
共 19 条
[1]  
*ACUN, 2008, ACUN WEB VULN SCANN
[2]  
[Anonymous], 1996, HDB SOFTWARE RELIABI
[3]  
[Anonymous], 2008, HP WebInspect
[4]  
ANTUNES N, 2009, 4 LAT AM S DEP COMP
[5]  
ANTUNES N, 2009, PENETRATION TESTING
[6]  
CHAPPEL DA, 2002, JAVA WEB SERVICES US
[7]  
Christey S., 2007, VULNERABILITY TYPE D
[8]   Unraveling the Web services Web - An introduction to SOAP, WSDL, and UDDI [J].
Curbera, F ;
Duftler, M ;
Khalaf, R ;
Nagy, W ;
Mukhi, N ;
Weerawarana, S .
IEEE INTERNET COMPUTING, 2002, 6 (02) :86-93
[9]  
*FINDBUGS, 138 FINDBUGS
[10]  
*IBM, 2008, IBM RAT APPSCAN