Learning Algorithms in Static Analysis of Web Applications

TL;DR

This paper explores the application of machine learning algorithms to improve static analysis of web applications by reducing false positives in security vulnerability detection, thereby enhancing the reliability of SAST tools.

Contribution

It introduces a novel technique that applies learning algorithms to filter SAST tool outputs, aiming to minimize false positives and improve security analysis accuracy.

Findings

Reduced false positive rate in vulnerability detection

Improved reliability of static analysis tools

Enhanced efficiency of security auditing processes

Abstract

Web applications are distributed applications, they are programs that run on more than one computer and communicate through a network or server. This very distributed nature of web applications, combined with the scale and sheer complexity of modern software systems complicate manual security auditing, while also creating a huge attack surface of potential hackers. These factors are making automated analysis a necessity. Static Application Security Testing (SAST) is a method devised to automatically analyze application source code of large code bases without compiling it, and design conditions that are indicative of security vulnerabilities. However, the problem lies in the fact that the most widely used Static Application Security Testing Tools often yield unreliable results, owing to the false positive classification of vulnerabilities grossly outnumbering the classification of true positive vulnerabilities. This is one of the biggest hindrances to the proliferation of SAST testing, which leaves the user to review hundreds, if not thousands, of potential warnings, and classify them as either actionable or spurious. We try to minimize the problem of false positives by introducing a technique to filter the output of SAST tools. The aim of the project is to apply learning algorithms to the output by analyzing the true and false positives classified by OWASP Benchmark, and eliminate, or reduce the number of false positives presented to the user of the SAST Tool.