Modelos de pruebas de seguridad estática en reducción de ineficiencia identificación de Inyección SQL en Aplicaciones Web

Armando Tipacti Garcia

doi:10.26423/rctu.v11i2.800

Armando Tipacti Garcia Facultad de Ingeniería de Sistemas e Informática, Unidad de Postgrado, Universidad Nacional Mayor de San Marcos, Lima, Perú

DOI: https://doi.org/10.26423/rctu.v11i2.800

Palabras clave: Pruebas Seguridad Estática, Desarrollo de Software Seguro, DevSecOps, Inyección SQL

Resumen

La detección temprana de vulnerabilidades es crucial en el desarrollo de software para garantizar la seguridad de las aplicaciones web, especialmente frente a ataques de inyección SQL. Las pruebas de Seguridad Estática (SAST) permiten identificar vulnerabilidades desde las primeras etapas del ciclo de vida del desarrollo. Este artículo revisa sistemáticamente la literatura para identificar y analizar los modelos de SAST más eficaces en reducir ineficiencias en la detección de inyecciones SQL. Siguiendo las guías PRISMA 2020 y el enfoque de Kitchenham, se realizaron búsquedas exhaustivas en bases de datos como EBSCO y Scopus. Los resultados muestran que la integración temprana de SAST y el uso de inteligencia artificial mejoran la detección de vulnerabilidades, reduciendo falsos positivos y negativos. La implementación de modelos avanzados de SAST es esencial para mejorar la seguridad de las aplicaciones web, sugiriéndose investigaciones futuras en metodologías más integradas y nuevas herramientas.

Descargas

La descarga de datos todavía no está disponible.

Citas

NGUYEN, Dinh; SEO, Aria; NNAMDI, Nnubia; SON, Yunsik. False Alarm Reduction Method for Weakness Static Analysis Using BERT Model. En: Applied Sciences [en línea]. MDPI, 2023, v. 13, no. 6, pp. 1-13. [fecha de consulta: 03-06-2024]. ISSN 2076-3417. Disponible en: https://doi.org/10.3390/app13063502.

CASOLA, Valentina; DE BENEDICTIS, Alessandra; MAZZOCCA, Carlo; ORBINATO, Vittorio. Secure software development and testing: A model-based methodology. En: Computers & Security [en línea]. Elsevier, 2024, v. 137, pp. 1-16. [fecha de consulta: 03-06-2024]. ISSN 0167-4048. Disponible en: https://doi.org/10.1016/j.cose.2023.103639.

SCHIEWE, Micah; CURTIS, Jacob; BUSHONG, Vincent; CERNY, Tomas. Advancing Static Code Analysis with Language-Agnostic Component Identification. En: IEEE Access [en línea]. IEEE, 2022, v. 10, pp. 30743–30761. [fecha de consulta: 03-06-2024]. ISSN 2169-3536. Disponible en: https://doi.org/10.1109/ACCESS.2022.3160485.

ABEYRATHNA, Ashanthi; SAMARAGE, Chamal; DAHANAYAKE, Buddika; WIJESIRIWARDANA, Chaman; Wimalaratne, Prasad. A security specific knowledge modelling approach for secure software engineering. En: Journal of the National Science Foundation of Sri Lanka [en línea]. National Science Foundation of Sri Lanka, 2020, v. 48, no. 1, pp. 93–98. [fecha de consulta: 03-06-2024]. ISSN 1391-4588. Disponible en: https://doi.org/10.4038/jnsfsr.v48i1.8950.

MATEO, Francesc; BERMEJO, Juan; BERMEJO, Javier; SICILIA, Juan; ARGYROS, Michael. On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications. En: Applied Sciences [en línea]. MDPI, 2020, v. 10, no. 24, pp. 1–26. [fecha de consulta: 03-06-2023]. ISSN 2076-3417. Disponible en: https://doi.org/10.3390/app10249119.

BAKHSHANDEH, Atieh; KERAMATFAR, Abdalsamad; NOROUZI, Amir; CHEKIDEHKHOUN, Mohammad. Using ChatGPT as a Static Application Security Testing Tool. En: The ISC International Journal of Information Security [en línea]. Isecure, 2023, v. 15, no. 3, pp. 1–8. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.22042/isecure.2023.182082

WIJESIRIWARDANA, C.; WIMALARATNE, P.; ABEYSINGHE, T.; SHALIKA S., AHMED, N.; MUFARRIJ, M. Software Engineering Secure CodeCity: 3-dimensional visualization of software security facets. En: Journal of the National Science Foundation of Sri Lanka [en línea]. National Science Foundation of Sri Lanka, 2023, v. 51, no. 3, pp. 423–436. [fecha de consulta: 03-06-2024]. ISSN 2362-0161. Disponible en: https://doi.org/10.4038/jnsfsr.v51i3.11201.

BERMEJO, Juan; BERMEJO, Javier; SICILIA, Juan; SUREDA, Tomás; ARGYROS, Christopher; MAGREÑÁN, Alberto. Combinatorial Method with Static Analysis for Source Code Security in Web Applications. En: Computer Modeling in Engineering & Sciences [en línea]. Tech Science Press, 2021, v. 129, no. 2, pp. 541–565. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.32604/cmes.2021.017213.

PAGE, Matthew; MCKENZIE, Joanne; BOSSUYT, Patrick; BOUTRON, Isabelle; HOFFMANN, Tammy; MULROW, Cynthia; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. En: BMJ Journals [en línea]. BMJ, 2021, v. 372, no.71, pp. 1-9. [fecha de consulta: 03-06-2024]. Disponible en https://doi.org/10.1136/bmj.n71.

KITCHENHAM, Barbara. Procedures for Performing Systematic Reviews. [En línea]. Keele University Technical Report, 2004, pp.1-28. [fecha de consulta: 03-06-2024]. ISSN:1353-7776. Disponible en: https://www.researchgate.net/publication/228756057

HOLGUIN, Fresia; HOLGUIN, Edys; GARCIA, Nelly. Gamificación en la enseñanza de las matemáticas: una revisión sistemática. En: Revista de Estudios Interdisciplinarios en Ciencias Sociales [en línea]. Telos, 2020, v. 22, no. 1, pp. 62–75. [fecha de consulta: 03-06-2024]. ISSN 1317-0570. Disponible en: https://doi.org/10.36390/telos221.05.

LOMBARDI, Francisco; FANTON, Alberto. From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline. En: Software Quality Journal [en línea]. Springer, 2023, v. 31, no. 2, pp. 619–654. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1007/s11219-023-09619-3.

LEE, Wen; LIU, Zhun. Microservices-based DevSecOps Platform using Pipeline and Open Source Software. En: Journal of Information Science and Engineering [en línea]. Airiti Library, 2023, v. 39, no. 5, pp. 1117–1128. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.6688/JISE.202309_39(5).0007.

WIJESIRIWARDANA, Chaman; ABEYRATNE, Ashanthi; SAMARAGE, Chamal; DAHANAYAKE, Buddika; WIMALARATNE, Prasad. Secure Software Engineering: A Knowledge Modeling based Approach for Inferring Association between Source Code and Design Artifacts. En: International Journal of Advanced Computer Science and Applications [en línea]. SAI, 2020, v.11, no. 12, pp. 708-716. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.14569/IJACSA.2020.0111282

SCHUBERT, Philipp; GAZZILLO, Paul; PATTERSON, Zach; BRAHA, Julian; SCHIEBEL, Fabian; HERMANN, Ben; WEI, Shiyi; BODDEN, Eric. Static data-flow analysis for software product lines in C. En: Automated Software Engineering [en línea]. Springer, 2022, v. 29, no. 35, pp. 1-37. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1007/s10515-022-00333-1.

PISKACHEV, Goran; BECKER, Matthias; BODDEN, Erick. Can the conFiguration of static analyses make resolving security vulnerabilities more effective? - A user study. En: Empirical Software Engineering [en línea]. Springer, 2023, v. 28, no. 118, pp. 1-28. [fecha de consulta: 03-06-2024]. Disponible en: doi: https://doi.org/10.1007/s10664-023-10354-3.

ALQARADAGHI, Midya; KOZSIK, Tamás. Comprehensive Evaluation of Static Analysis Tools for Their Performance in Finding Vulnerabilities in Java Code. En: IEEE Access [en línea]. IEEE, 2024, v. 12, pp. 55824–55842. [fecha de consulta: 03-06-2024]. ISSN 2169-3536. Disponible en: https://doi.org/10.1109/ACCESS.2024.3389955.

SAURABH, Shobhit; KUMAR, Deepak. Model to reduce DevOps Pipeline execution time using SAST. En: International Journal of System Assurance Engineering and Management [en línea]. Springer, 2024, v. 15, pp. 1999–2009. [fecha de consulta: 03-06-2024]. ISSN 2693-5015. Disponible en: https://doi.org/10.1007/s13198-024-02262-6.

YUAN, Ye; LU, Yuliang; ZHU, Kailong; HUANG, Hui; YU, Lu; ZHAO, Jiazhen. A Static Detection Method for SQL Injection Vulnerability Based on Program Transformation. En: Applied Sciences [en línea]. MDPI, 2023, v. 13, no. 21, pp. 1-18. [fecha de consulta: 03-06-2024]. ISSN 2076-3417. Disponible en: https://doi.org/10.3390/app132111763.

KUSZCZYŃSKI, Kajetan; WALKOWSKI, Michal. Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis. En: Sensors [en línea]. MDPI, 2023, v. 23, no. 18, pp. 2-33. [fecha de consulta: 03-06-2024]. ISSN 2076-3417 [fecha de consulta: 03-06-2023]. ISSN 1424-8220. Disponible en: https://doi.org/10.3390/s23187978.

CORREA, Roddy; BERMEJO, BERMEJO, Javier; SICILIA, Juan; SANCHEZ, Manuel; Magreñán, Alberto. Hybrid security assessment methodology for web applications. En: Computer Modeling in Engineering and Sciences [en línea]. Tech Science Press, 2021, v. 126, no. 1, pp. 89-124, 2021. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.32604/CMES.2021.010700.

SIEWRUK, Grzegorz; MAZURCZYK, Wojciech. Context-Aware Software Vulnerability Classification Using Machine Learning. En: IEEE Access [en línea]. IEEE, 2021, v. 9, pp. 88852-88867. [fecha de consulta: 03-06-2024]. ISSN 2169-3536. Disponible en: https://doi.org/10.1109/ACCESS.2021.3075385.

LOMIO, Francesco; MORESCHINI, Sergio; LENARDUZZI, Valentina. A machine and deep learning analysis among SonarQube rules, product, and process metrics for fault prediction. En: Empirical Software Engineering [en línea]. Springer, 2022, v. 27, no. 189, pp. 1-57. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1007/s10664-022-10164-z.

AL-JOHANY, Norah; EASSA, Fathy; SHARAF, Sanaa; NOAMAN, Amin; AHMED, Assad. Prediction and Correction of Software Defects in Message-Passing Interfaces Using a Static Analysis Tool and Machine Learning. En: IEEE Access [en línea]. IEEE, 2023, v. 11, pp. 60668-60680. [fecha de consulta: 03-06-2024]. ISSN 2169-3536. Disponible en: https://doi.org/10.1109/ACCESS.2023.3285598.

SZABÓ, Zoltán;BILICKI, Vilmos. A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection. En: Future Internet [en línea]. MDPI, 2023, v. 15, no. 326, pp. 1-27. [fecha de consulta: 03-06-2023]. ISSN 1999-5903. Disponible en: https://doi.org/10.3390/fi15100326.

ALQARADAGHI, Midya; NAZIR, Muhammad; KOZSIK, Tamás. Design and Implement an Accurate Automated Static Analysis Checker to Detect Insecure Use of SecurityManager. En: Computers [en línea]. MDPI, 2023, v. 12, no. 247, pp. 2-12. [fecha de consulta: 03-06-2024]. ISSN 2073-431. Disponible en: https://doi.org/10.3390/computers12120247.

SHENEAMER, Abdullah. Vulnerable JavaScript functions detection using stacking of convolutional neural networks. En: PeerJ Computer Science [en línea]. PeerJ, 2024, v. 10, pp. 2-38. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.7717/peerj-cs.1838.

FILUS, Katarzyna; DOMAŃSKA; Joanna. Software vulnerabilities in TensorFlow-based deep learning applications. En: Computers & Security [en línea]. Elsevier, 2023, v. 124, pp. 1-13. [fecha de consulta: 03-06-2024]. ISSN 0167-4048. Disponible en: https://doi.org/10.1016/j.cose.2022.102948.

AMANKWAH, Richard; CHEN, Jinfu; SONG, Heping; KUDJO, Patrick. Bug detection in Java code: An extensive evaluation of static analysis tools using Juliet Test Suites. En: Journal of Software Practice and Experience [en línea]. Wiley, 2023, v. 53, no. 5, pp. 1125-1143. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1002/spe.3181.

KAYA, Aydin; KECELI, Ali; CATAL, Cagatay; TEKINERDOGAN, Bedir. The impact of feature types, classifiers, and data balancing techniques on software vulnerability prediction models. En: Journal of Software Evolution and Process [en línea]. Wiley, 2019, v. 31, no. 9, pp.1-25. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1002/smr.2164.

PUJAR, Saurab; ZHENG, Yunhui; BURATTI, Luca; LEWIS, Burn; CHEN, Yunchung; LAREDO, Jim; MORARI, Alessandro; EPSTEIN, Edward; LIN, Tsungnan; YANG, Bo; SU, Zhong. Analyzing source code vulnerabilities in the D2A dataset with ML ensembles and C-BERT, En: Empirical Software Engineering [en línea]. Springer, 2024, v. 29, no. 48. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1007/s10664-023-10405-9.

SHAHOOR, Arooba; SHAUKAT, Rida; MINHAS, Sumaira; AWAN, Hina; SAGHAR, Kashif. A C# static code analysis tool for mission critical systems, En: Advances in Science Technology and Engineering Systems [en línea]. ASTES, 2020, v. 5, no. 6, pp. 561-570. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.25046/aj050668.

LI, Jinfeng. Vulnerabilities mapping based on OWASP-SANS: A survey for static application security testing (SAST). En: Annals of Emerging Technologies in Computing [en línea]. IAER, 2020, v. 4, no. 3, pp. 1-8. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.33166/AETiC.2020.03.001.

BRITO, Tiago; FERREIRA, Mafalda; MONTEIRO, Miguel; LOPES, Pedro; BARROS, Miguel; FRAGOSO, Jose; SANTOS, Nuno. Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages. En: IEEE Transactions on Reliability [en línea]. IEEE, 2023, v. 72, no. 4, pp. 1324-1339. [fecha de consulta: 06-06-2024]. ISSN 1558-1721. Disponible en: https://doi.org/10.1109/TR.2023.3286301.

ZHANG, Yuwei; XING, Ying; GONG, Yunzhan; JIN, Dahai; LI, Honghui; LIU, Feng. A variable-level automated defect identification model based on machine learning. En: Soft Computing [en línea]. Springer, 2020, v. 24, no. 2, pp. 1045-1061. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/doi:%2010.1007/s00500-019-03942-3.

NUNES, Paulo; MEDEIROS, Ibéria; FONSECA, José; NEVES, Nuno; CORREIA, Miguel; VIEIRA, Marco. An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios. En: Computing [en línea]. Springer, 2019, v. 101, no. 2, pp. 161-185. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1007/s00607-018-0664-z.

GUNAWARDENA, Sanuri; TEMPERO, Ewan; BLINCOE, Kelly. Concerns identified in code review: A fine-grained, faceted classification. En: Information and Software Technology [en línea]. Elsevier, 2023, v. 153, pp. 1-14. [fecha de consulta: 06-06-2024]. ISSN 0950-5849, Disponible en: https://doi.org/10.1016/j.infsof.2022.107054.

ABDEL-KADER, Rabab; NASHAAT, Mona; HABIB, Mohamed; MAHDI, Hani. Automated server-side model for recognition of security vulnerabilities in scripting languages. En: International Journal of Electrical and Computer Engineering [en línea]. Institute of Advanced Engineering and Science, 2020, v. 10, no. 6, pp. 6061-6070. [fecha de consulta: 06-06-2024]. ISSN 2088-8708. Disponible en: https://doi.org/10.11591/ijece.v10i6.pp6061-6070.

OCHODEK, Miroslaw; HEBIG, Regina; MEDING, Wilhelm; FROST, Gert; STARON, Miroslaw. Recognizing lines of code violating company-specific coding guidelines using machine learning: A Method and Its Evaluation. En: Empirical Software Engineering [en línea]. Springer, 2020, v. 25, no. 1, pp. 220-265. [fecha de consulta: 06-06-2024] Disponible en: https://doi.org/10.1007/s10664-019-09769-8.

NGUYEN-DUC, Anh; VIET, Manh; LUONG, Quan; NGUYEN, Kiem; NGUYEN, Anh. On the adoption of static analysis for software security assessment–A case study of an open-source e-government project. En: Computers & Security [en línea]. Elsevier, 2021, v. 111, pp. 1-14. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1016/j.cose.2021.102470.

RANTALA, Leevi; MÄNTYLÄ, Mika; LENARDUZZI, Valentina. Keyword-labeled self-admitted technical debt and static code analysis have significant relationship but limited overlap. En: Software Quality Journal [en línea]. Springer, 2023, v. 32, pp. 91-429. [fecha de consulta: 06-06-2024]. Disponible en : https://doi.org/10.1007/s11219-023-09655-z.

PARK, Jihyun; SHIN, Jaeyoung; CHOI, Byoungju. Reduction of False Positives for Runtime Errors in C/C++ Software: A Comparative Study, En: Electronics [en línea]. MDPI, 2023, v. 12, no. 3518, pp. 1-12. [fecha de consulta: 06-06-2024]. ISSN 2079-9292. Disponible en: https://doi.org/10.3390/electronics12163518.

SCULL, Angel; NICOLAY, Jens; GONZALEZ, Elisa. Deriving Static Security Testing from Runtime Security Protection for Web Applications. En: Art, Science, and Engineering of Programming [en línea]. AOSA, 2022, v. 6, no. 1, pp. 1-41. [fecha de consulta: 06-06-2024]. ISSN 2473-7321. Disponible en: https://doi.org/10.22152/programming-journal.org/2022/6/1.

HEGEDUS, Péter; FERENC, Rudolf. Static Code Analysis Alarms Filtering Reloaded: A New Real-World Dataset and its ML-Based Utilization. En: IEEE, 2022 Access [en línea]. IEEE, v. 10, pp. 55090–55101. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1109/ACCESS.2022.3176865.

Modelos de pruebas de seguridad estática en reducción de ineficiencia identificación de Inyección SQL en Aplicaciones Web

Resumen

Descargas

Citas

Síguenos en: