TY - GEN
T1 - Common Programming Mistakes Leading to Information Disclosure
T2 - 29th IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2022
AU - Sundarapandi, Gowri Pandian
AU - Hossain, Raiyan
AU - Jasrai, Chandana
AU - Sultana, Kazi Zakia
AU - Codabux, Zadia
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - It is vital to engineer robust and secure software. Many security strategies and techniques have been proposed. However, technological growth increases security concerns and demands persistent software security analysis. The objective of our study is to analyze vulnerable code components of real-world software code repositories and mine developers' frequent programming mistakes, resulting in information disclosure in the software. Finding common programming mistakes during the implementation phase is a primary step towards building secure software. We investigate the published vulnerabilities in two open-source applications: Apache Tomcat and Android. We focus on the information disclosure vulnerability reported as security advisories and analyze the code to extract or mine the causes of the vulnerability. We found that improper or lack of bound checking is the most frequent programming mistake that can potentially cause information leakage. Our findings can help create awareness among developers of the common programming mistakes that lead to disclosing sensitive information to avoid it, or if such mistakes are already present in the code, they can be handled during the implementation phase. Moreover, our results can be incorporated in tools such as static analyzers to help detect information disclosure instances more accurately prior to software delivery.
AB - It is vital to engineer robust and secure software. Many security strategies and techniques have been proposed. However, technological growth increases security concerns and demands persistent software security analysis. The objective of our study is to analyze vulnerable code components of real-world software code repositories and mine developers' frequent programming mistakes, resulting in information disclosure in the software. Finding common programming mistakes during the implementation phase is a primary step towards building secure software. We investigate the published vulnerabilities in two open-source applications: Apache Tomcat and Android. We focus on the information disclosure vulnerability reported as security advisories and analyze the code to extract or mine the causes of the vulnerability. We found that improper or lack of bound checking is the most frequent programming mistake that can potentially cause information leakage. Our findings can help create awareness among developers of the common programming mistakes that lead to disclosing sensitive information to avoid it, or if such mistakes are already present in the code, they can be handled during the implementation phase. Moreover, our results can be incorporated in tools such as static analyzers to help detect information disclosure instances more accurately prior to software delivery.
KW - Information Disclosure
KW - Programming Mistakes
KW - Software Vulnerability
UR - http://www.scopus.com/inward/record.url?scp=85135788281&partnerID=8YFLogxK
U2 - 10.1109/SANER53432.2022.00091
DO - 10.1109/SANER53432.2022.00091
M3 - Conference contribution
AN - SCOPUS:85135788281
T3 - Proceedings - 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2022
SP - 743
EP - 747
BT - Proceedings - 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2022
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 15 March 2022 through 18 March 2022
ER -