Call for Paper - January 2022 Edition
IJCA solicits original research papers for the January 2022 Edition. Last date of manuscript submission is December 20, 2021. Read More

Evaluation of Software Vulnerability Detection Methods and Tools: A Review

Print
PDF
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Year of Publication: 2017
Authors:
Richard Amankwah, Patrick Kwaku Kudjo, Samuel Yeboah Antwi
10.5120/ijca2017914750

Richard Amankwah, Patrick Kwaku Kudjo and Samuel Yeboah Antwi. Evaluation of Software Vulnerability Detection Methods and Tools: A Review. International Journal of Computer Applications 169(8):22-27, July 2017. BibTeX

@article{10.5120/ijca2017914750,
	author = {Richard Amankwah and Patrick Kwaku Kudjo and Samuel Yeboah Antwi},
	title = {Evaluation of Software Vulnerability Detection Methods and Tools: A Review},
	journal = {International Journal of Computer Applications},
	issue_date = {July 2017},
	volume = {169},
	number = {8},
	month = {Jul},
	year = {2017},
	issn = {0975-8887},
	pages = {22-27},
	numpages = {6},
	url = {http://www.ijcaonline.org/archives/volume169/number8/28005-2017914750},
	doi = {10.5120/ijca2017914750},
	publisher = {Foundation of Computer Science (FCS), NY, USA},
	address = {New York, USA}
}

Abstract

Software vulnerability remains a serious problem among industry players in the world today because of the numerous security related challenges it possess to end-users and stakeholders. Although previous studies have proposed various methods and tools that can be used in reducing or eliminating software vulnerability, those studies, however, raised several additional questions that need be addressed: (1) Can all the tools be used in curbing software vulnerabilities. (2) Can a specific tool detect all software vulnerabilities? To address these questions, we performed a detailed evaluation of the various software vulnerability detection methods and tools to find out their differences and similarities. Our studies also seeks to investigate the most efficient approach for detecting vulnerabilities based on previously proposed benchmarks and present some recommendations for future studies.

References

  1. M. Alnuaimi, M. A. Al-Fayoumi, and S. J. Aboud, "Protection of e-commerce Using Hybrid Tools."
  2. C. Kuang, Q. Miao, and H. Chen, "Analysis of software vulnerability," WSEAS Transactions on Computers Research, vol. 1, p. 45, 2006.
  3. I. V. Krsul, "Software vulnerability analysis," Purdue University, 1998.
  4. W. Jimenez, A. Mammar, and A. Cavalli, "Software Vulnerabilities, Prevention and Detection Methods: A Review1," Security in Model-Driven Architecture, p. 6, 2009.
  5. E. E. Schultz Jr, D. S. Brown, and T. A. Longstaff, "Responding to computer security incidents: Guidelines for incident handling," Lawrence Livermore National Lab., CA (USA)1990.
  6. G. McGraw, Building Secure Software: How to avoid security problems the right way: Addison-Wesley Professional, 2002.
  7. L. Ping, S. Jin, and Y. Xinfeng, "Research on software security vulnerability detection technology," in Computer Science and Network Technology (ICCSNT), 2011 International Conference on, 2011, pp. 1873-1876.
  8. I. Krsul, E. Spafford, and M. Tripunitara, "An analysis of some software vulnerabilities," in Proceesings of the 21st NIST-NCSC National Information Systems Symposium, 1998, pp. 111-125.
  9. M. Shaneck, "An Overview of Buffer Overflow Vulnerabilities and Internet Worms," CSCI, 2003.
  10. S. Bekrar, C. Bekrar, R. Groz, and L. Mounier, "Finding software vulnerabilities by smart fuzzing," in Software Testing, Verification and Validation (ICST), 2011 IEEE Fourth International Conference on, 2011, pp. 427-430.
  11. P. Li and B. Cui, "A comparative study on software vulnerability static analysis techniques and tools," in Information Theory and Information Security (ICITIS), 2010 IEEE International Conference on, 2010, pp. 521-524.
  12. T. L. Munea, H. Lim, and T. Shon, "Network protocol fuzz testing for information systems and applications: a survey and taxonomy," Multimedia Tools and Applications, vol. 75, pp. 14745-14757, 2016.
  13. P. Amini and A. Portnoy, "Sulley-Pure Python fully automated and unattended fuzzing framework," ed: May, 2013.
  14. D. Aitel, "An introduction to SPIKE, The fuzzer creation kit," presentation slides), Aug, vol. 1, 2002.
  15. M. Eddington, "Peach fuzzing platform," Peach Fuzzer, p. 34, 2011.
  16. M. Vieira, N. Antunes, and H. Madeira, "Using web security scanners to detect vulnerabilities in web services," in Dependable Systems & Networks, 2009. DSN'09. IEEE/IFIP International Conference on, 2009, pp. 566-571.
  17. E. Fong and V. Okun, "Web application scanners: definitions and functions," in System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, 2007, pp. 280b-280b.
  18. S. Gupta and L. Sharma, "Exploitation of cross-site scripting (XSS) vulnerability on real world web applications and its defense," International Journal of Computer Applications, vol. 60, 2012.
  19. M. K. Gupta, M. Govil, and G. Singh, "Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: A survey," in Recent Advances and Innovations in Engineering (ICRAIE), 2014, 2014, pp. 1-5.
  20. C. Vulnerabilities, "Exposures,“The Standard for Information Security Vulnerability Names”," Common Vulnerabilities and Exposures: The Standard for Information Security Vulnerability Names. url: http://cve. mitre. org, 2007.
  21. N. Dor, M. Rodeh, and M. Sagiv, "CSSV: Towards a realistic tool for statically detecting all buffer overflows in C," in ACM Sigplan Notices, 2003, pp. 155-167.
  22. B. Hackett, M. Das, D. Wang, and Z. Yang, "Modular checking for buffer overflows in the large," in Proceedings of the 28th international conference on Software engineering, 2006, pp. 232-241.
  23. J. Viega, J. Bloch, T. Kohno, and G. McGraw, "Token-based scanning of source code for security problems," ACM Transactions on Information and System Security (TISSEC), vol. 5, pp. 238-261, 2002.
  24. N. Nethercote and J. Seward, "Valgrind: a framework for heavyweight dynamic binary instrumentation," in ACM Sigplan notices, 2007, pp. 89-100.
  25. J. Wilander and M. Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention," in NDSS, 2003, pp. 149-162.
  26. J. Gray, Benchmark handbook: for database and transaction processing systems: Morgan Kaufmann Publishers Inc., 1992.
  27. P. E. Black and E. Fong, "Proceedings of Defining the State of the Art in Software Security Tools Workshop," NIST Special Publication, vol. 500, p. 264, 2005.

Keywords

Benchmarks; Software Vulnerability; Vulnerability Detection