Static Security Testing Models in Inefficiency Reduction Identification of SQL Injection in Web Applications

Authors

  • Armando Tipacti Garcia Facultad de Ingeniería de Sistemas e Informática, Unidad de Postgrado, Universidad Nacional Mayor de San Marcos, Lima, Perú

DOI:

https://doi.org/10.26423/rctu.v11i2.800

Keywords:

Static application security testing, Secure software development, DevSecOps, SQL Inyection

Abstract

Early detection of vulnerabilities is crucial in software development to ensure the security of web applications, especially against SQL injection attacks. Static Application Security Testing (SAST) allows for the identification of vulnerabilities from the early stages of the development lifecycle. This article systematically reviews the literature to identify and analyze the most effective SAST models in reducing inefficiencies in detecting SQL injections. Following PRISMA 2020 guidelines and Kitchenham’s approach, exhaustive searches were conducted in databases like EBSCO and Scopus. The results show that early integration of SAST and the use of artificial intelligence significantly improve vulnerability detection, reducing false positives and negatives. The implementation of advanced SAST models is essential for enhancing the security of web applications, with future research suggested to explore more integrated methodologies and new tools.

Downloads

Download data is not yet available.

References

NGUYEN, Dinh; SEO, Aria; NNAMDI, Nnubia; SON, Yunsik. False Alarm Reduction Method for Weakness Static Analysis Using BERT Model. En: Applied Sciences [en línea]. MDPI, 2023, v. 13, no. 6, pp. 1-13. [fecha de consulta: 03-06-2024]. ISSN 2076-3417. Disponible en: https://doi.org/10.3390/app13063502. DOI: https://doi.org/10.3390/app13063502

CASOLA, Valentina; DE BENEDICTIS, Alessandra; MAZZOCCA, Carlo; ORBINATO, Vittorio. Secure software development and testing: A model-based methodology. En: Computers & Security [en línea]. Elsevier, 2024, v. 137, pp. 1-16. [fecha de consulta: 03-06-2024]. ISSN 0167-4048. Disponible en: https://doi.org/10.1016/j.cose.2023.103639. DOI: https://doi.org/10.1016/j.cose.2023.103639

SCHIEWE, Micah; CURTIS, Jacob; BUSHONG, Vincent; CERNY, Tomas. Advancing Static Code Analysis with Language-Agnostic Component Identification. En: IEEE Access [en línea]. IEEE, 2022, v. 10, pp. 30743–30761. [fecha de consulta: 03-06-2024]. ISSN 2169-3536. Disponible en: https://doi.org/10.1109/ACCESS.2022.3160485. DOI: https://doi.org/10.1109/ACCESS.2022.3160485

ABEYRATHNA, Ashanthi; SAMARAGE, Chamal; DAHANAYAKE, Buddika; WIJESIRIWARDANA, Chaman; Wimalaratne, Prasad. A security specific knowledge modelling approach for secure software engineering. En: Journal of the National Science Foundation of Sri Lanka [en línea]. National Science Foundation of Sri Lanka, 2020, v. 48, no. 1, pp. 93–98. [fecha de consulta: 03-06-2024]. ISSN 1391-4588. Disponible en: https://doi.org/10.4038/jnsfsr.v48i1.8950. DOI: https://doi.org/10.4038/jnsfsr.v48i1.8950

MATEO, Francesc; BERMEJO, Juan; BERMEJO, Javier; SICILIA, Juan; ARGYROS, Michael. On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications. En: Applied Sciences [en línea]. MDPI, 2020, v. 10, no. 24, pp. 1–26. [fecha de consulta: 03-06-2023]. ISSN 2076-3417. Disponible en: https://doi.org/10.3390/app10249119. DOI: https://doi.org/10.3390/app10249119

BAKHSHANDEH, Atieh; KERAMATFAR, Abdalsamad; NOROUZI, Amir; CHEKIDEHKHOUN, Mohammad. Using ChatGPT as a Static Application Security Testing Tool. En: The ISC International Journal of Information Security [en línea]. Isecure, 2023, v. 15, no. 3, pp. 1–8. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.22042/isecure.2023.182082.

WIJESIRIWARDANA, C.; WIMALARATNE, P.; ABEYSINGHE, T.; SHALIKA S., AHMED, N.; MUFARRIJ, M. Software Engineering Secure CodeCity: 3-dimensional visualization of software security facets. En: Journal of the National Science Foundation of Sri Lanka [en línea]. National Science Foundation of Sri Lanka, 2023, v. 51, no. 3, pp. 423–436. [fecha de consulta: 03-06-2024]. ISSN 2362-0161. Disponible en: https://doi.org/10.4038/jnsfsr.v51i3.11201. DOI: https://doi.org/10.4038/jnsfsr.v51i3.11201

BERMEJO, Juan; BERMEJO, Javier; SICILIA, Juan; SUREDA, Tomás; ARGYROS, Christopher; MAGREÑÁN, Alberto.Combinatorial Method with Static Analysis for Source Code Security in Web Applications. En: Computer Modeling in Engineering & Sciences [en línea]. Tech Science Press, 2021, v. 129, no. 2, pp. 541–565. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.32604/cmes.2021.017213. DOI: https://doi.org/10.32604/cmes.2021.017213

PAGE, Matthew; MCKENZIE, Joanne; BOSSUYT, Patrick; BOUTRON, Isabelle; HOFFMANN, Tammy; MULROW, Cynthia; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. En: BMJ Journals [en línea]. BMJ, 2021, v. 372, no. 71, pp. 1-9. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1136/bmj.n71. DOI: https://doi.org/10.1136/bmj.n71

KITCHENHAM, Barbara. Procedures for Performing Systematic Reviews. [En línea]. Keele University Technical Report, 2004, pp. 1-28. [fecha de consulta: 03-06-2024]. ISSN: 1353-7776. Disponible en: https://www.researchgate.net/publication/228756057.

HOLGUIN, Fresia; HOLGUIN, Edys; GARCIA, Nelly. Gamificación en la enseñanza de las matemáticas: una revisión sistemática. En: Revista de Estudios Interdisciplinarios en Ciencias Sociales [en línea]. Telos, 2020, v. 22, no. 1, pp. 62–75. [fecha de consulta: 03-06-2024]. ISSN 1317-0570. Disponible en: https://doi.org/10.36390/telos221.05. DOI: https://doi.org/10.36390/telos221.05

LOMBARDI, Francisco; FANTON, Alberto. From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline. En: Software Quality Journal [en línea]. Springer, 2023, v. 31, no. 2, pp. 619–654. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1007/s11219-023-09619-3. DOI: https://doi.org/10.1007/s11219-023-09619-3

LEE, Wen; LIU, Zhun. Microservices-based DevSecOps Platform using Pipeline and Open Source Software. En: Journal of Information Science and Engineering [en línea]. Airiti Library, 2023, v. 39, no. 5, pp. 1117–1128. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.6688/JISE.202309_39(5).0007.

WIJESIRIWARDANA, Chaman; ABEYRATNE, Ashanthi; SAMARAGE, Chamal; DAHANAYAKE, Buddika; WIMALARATNE, Prasad. Secure Software Engineering: A Knowledge Modeling based Approach for Inferring Association between Source Code and Design Artifacts. En: International Journal of Advanced Computer Science and Applications [en línea]. SAI, 2020, v. 11, no. 12, pp. 708-716. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.14569/IJACSA.2020.0111282. DOI: https://doi.org/10.14569/IJACSA.2020.0111282

SCHUBERT, Philipp; GAZZILLO, Paul; PATTERSON, Zach; BRAHA, Julian; SCHIEBEL, Fabian; HERMANN, Ben; WEI, Shiyi; BODDEN, Eric. Static data-flow analysis for software product lines in C. En: Automated Software Engineering [en línea]. Springer, 2022, v. 29, no. 35, pp. 1-37. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1007/s10515-022-00333-1. DOI: https://doi.org/10.1007/s10515-022-00333-1

PISKACHEV, Goran; BECKER, Matthias; BODDEN, Erick. Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. En: Empirical Software Engineering [en línea]. Springer, 2023, v. 28, no. 118, pp. 1-28. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1007/s10664-023-10354-3. DOI: https://doi.org/10.1007/s10664-023-10354-3

ALQARADAGHI, Midya; KOZSIK, Tamás. Comprehensive Evaluation of Static Analysis Tools for Their Performance in Finding Vulnerabilities in Java Code. En: IEEE Access [en línea]. IEEE, 2024, v. 12, pp. 55824–55842. [fecha de consulta: 03-06-2024]. ISSN 2169-3536. Disponible en: https://doi.org/10.1109/ACCESS.2024.3389955. DOI: https://doi.org/10.1109/ACCESS.2024.3389955

SAURABH, Shobhit; KUMAR, Deepak. Model to reduce DevOps Pipeline execution time using SAST. En: International Journal of System Assurance Engineering and Management [en línea]. Springer, 2024, v. 15, pp. 1999–2009. [fecha de consulta: 03-06-2024]. ISSN 2693-5015. Disponible en: https://doi.org/10.1007/s13198-024-02262-6. DOI: https://doi.org/10.1007/s13198-024-02262-6

YUAN, Ye; LU, Yuliang; ZHU, Kailong; HUANG, Hui; YU, Lu; ZHAO, Jiazhen. A Static Detection Method for SQL Injection Vulnerability Based on Program Transformation. En: Applied Sciences [en línea]. MDPI, 2023, v. 13, no. 21, pp. 1-18. [fecha de consulta: 03-06-2024]. ISSN 2076-3417. Disponible en: https://doi.org/10.3390/app132111763. DOI: https://doi.org/10.3390/app132111763

KUSZCZYŃSKI, Kajetan; WALKOWSKI, Michal. Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis. En: Sensors [en línea]. MDPI, 2023, v. 23, no. 18, pp. 2-33. [fecha de consulta: 03-06-2024]. ISSN 2076-3417, ISSN 1424-8220. Disponible en: https://doi.org/10.3390/s23187978. DOI: https://doi.org/10.3390/s23187978

CORREA, Roddy; BERMEJO, Javier; SICILIA, Juan; SÁNCHEZ, Manuel; MAGREÑÁN, Alberto. Hybrid security assessment methodology for web applications. En: Computer Modeling in Engineering and Sciences [en línea]. Tech Science Press, 2021, v. 126, no. 1, pp. 89-124. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.32604/CMES.2021.010700. DOI: https://doi.org/10.32604/cmes.2021.010700

SIEWRUK, Grzegorz; MAZURCZYK, Wojciech. Context-Aware Software Vulnerability Classification Using Machine Learning. En: IEEE Access [en línea]. IEEE, 2021, v. 9, pp. 88852-88867. [fecha de consulta: 03-06-2024]. ISSN 2169-3536. Disponible en: https://doi.org/10.1109/ACCESS.2021.3075385. DOI: https://doi.org/10.1109/ACCESS.2021.3075385

LOMIO, Francesco; MORESCHINI, Sergio; LENARDUZZI, Valentina. A machine and deep learning analysis among SonarQube rules, product, and process metrics for fault prediction. En: Empirical Software Engineering [en línea]. Springer, 2022, v. 27, no. 189, pp. 1-57. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1007/s10664-022-10164-z. DOI: https://doi.org/10.1007/s10664-022-10164-z

AL-JOHANY, Norah; EASSA, Fathy; SHARAF, Sanaa; NOAMAN, Amin; AHMED, Assad. Prediction and Correction of Software Defects in Message-Passing Interfaces Using a Static Analysis Tool and Machine Learning. En: IEEE Access [en línea]. IEEE, 2023, v. 11, pp. 60668-60680. [fecha de consulta: 03-06-2024]. ISSN 2169-3536. Disponible en: https://doi.org/10.1109/ACCESS.2023.3285598. DOI: https://doi.org/10.1109/ACCESS.2023.3285598

SZABÓ, Zoltán; BILICKI, Vilmos. A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection. En: Future Internet [en línea]. MDPI, 2023, v. 15, no. 326, pp. 1-27. [fecha de consulta: 03-06-2024]. ISSN 1999-5903. Disponible en: https://doi.org/10.3390/fi15100326. DOI: https://doi.org/10.3390/fi15100326

ALQARADAGHI, Midya; NAZIR, Muhammad; KOZSIK, Tamás. Design and Implement an Accurate Automated Static Analysis Checker to Detect Insecure Use of SecurityManager. En: Computers [en línea]. MDPI, 2023, v. 12, no. 247, pp. 2-12. [fecha de consulta: 03-06-2024]. ISSN 2073-431. Disponible en: https://doi.org/10.3390/computers12120247. DOI: https://doi.org/10.3390/computers12120247

SHENEAMER, Abdullah. Vulnerable JavaScript functions detection using stacking of convolutional neural networks. En: PeerJ Computer Science [en línea]. PeerJ, 2024, v. 10, pp. 2-38. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.7717/peerj-cs.1838. DOI: https://doi.org/10.7717/peerj-cs.1838

FILUS, Katarzyna; DOMAŃSKA, Joanna. Software vulnerabilities in TensorFlow-based deep learning applications. En: Computers & Security [en línea]. Elsevier, 2023, v. 124, pp. 1-13. [fecha de consulta: 03-06-2024]. ISSN 0167-4048. Disponible en: https://doi.org/10.1016/j.cose.2022.102948. DOI: https://doi.org/10.1016/j.cose.2022.102948

AMANKWAH, Richard; CHEN, Jinfu; SONG, Heping; KUDJO, Patrick. Bug detection in Java code: An extensive evaluation of static analysis tools using Juliet Test Suites. En: Journal of Software Practice and Experience [en línea]. Wiley, 2023, v. 53, no. 5, pp. 1125-1143. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1002/spe.3181. DOI: https://doi.org/10.1002/spe.3181

KAYA, Aydin; KECELI, Ali; CATAL, Cagatay; TEKINERDOGAN, Bedir. The impact of feature types, classifiers, and data balancing techniques on software vulnerability prediction models. En: Journal of Software Evolution and Process [en línea]. Wiley, 2019, v. 31, no. 9, pp. 1-25. [fecha de consulta: 03-06-2024]. Disponible en: https://doi.org/10.1002/smr.2164. DOI: https://doi.org/10.1002/smr.2164

PUJAR, Saurab; ZHENG, Yunhui; BURATTI, Luca; LEWIS, Burn; CHEN, Yunchung; LAREDO, Jim; MORARI, Alessandro; EPSTEIN, Edward; LIN, Tsungnan; YANG, Bo; SU, Zhong. Analyzing source code vulnerabilities in the D2A dataset with ML ensembles and C-BERT. En: Empirical Software Engineering [en línea]. Springer, 2024, v. 29, no. 48. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1007/s10664-023-10405-9. DOI: https://doi.org/10.1007/s10664-023-10405-9

SHAHOOR, Arooba; SHAUKAT, Rida; MINHAS, Sumaira; AWAN, Hina; SAGHAR, Kashif. A C# static code analysis tool for mission critical systems. En: Advances in Science Technology and Engineering Systems [en línea]. ASTES, 2020, v. 5, no. 6, pp. 561-570. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.25046/aj050668. DOI: https://doi.org/10.25046/aj050668

LI, Jinfeng. Vulnerabilities mapping based on OWASP-SANS: A survey for static application security testing (SAST). En: Annals of Emerging Technologies in Computing [en línea]. IAER, 2020, v. 4, no. 3, pp. 1-8. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.33166/AETiC.2020.03.001. DOI: https://doi.org/10.33166/AETiC.2020.03.001

BRITO, Tiago; FERREIRA, Mafalda; MONTEIRO, Miguel; LOPES, Pedro; BARROS, Miguel; FRAGOSO, Jose; SANTOS, Nuno. Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages. En: IEEE Transactions on Reliability [en línea]. IEEE, 2023, v. 72, no. 4, pp. 1324-1339. [fecha de consulta: 06-06-2024]. ISSN 1558-1721. Disponible en: https://doi.org/10.1109/TR.2023.3286301. DOI: https://doi.org/10.1109/TR.2023.3286301

ZHANG, Yuwei; XING, Ying; GONG, Yunzhan; JIN, Dahai; LI, Honghui; LIU, Feng. A variable-level automated defect identification model based on machine learning. En: Soft Computing [en línea]. Springer, 2020, v. 24, no. 2, pp. 1045-1061. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1007/s00500-019-03942-3. DOI: https://doi.org/10.1007/s00500-019-03942-3

NUNES, Paulo; MEDEIROS, Ibéria; FONSECA, José; NEVES, Nuno; CORREIA, Miguel; VIEIRA, Marco. An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios. En: Computing [en línea]. Springer, 2019, v. 101, no. 2, pp. 161-185. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1007/s00607-018-0664-z. DOI: https://doi.org/10.1007/s00607-018-0664-z

GUNAWARDENA, Sanuri; TEMPERO, Ewan; BLINCOE, Kelly. Concerns identified in code review: A fine-grained, faceted classification. En: Information and Software Technology [en línea]. Elsevier, 2023, v. 153, pp. 1-14. [fecha de consulta: 06-06-2024]. ISSN 0950-5849. Disponible en: https://doi.org/10.1016/j.infsof.2022.107054. DOI: https://doi.org/10.1016/j.infsof.2022.107054

ABDEL-KADER, Rabab; NASHAAT, Mona; HABIB, Mohamed; MAHDI, Hani. Automated server-side model for recognition of security vulnerabilities in scripting languages. En: International Journal of Electrical and Computer Engineering [en línea]. Institute of Advanced Engineering and Science, 2020, v. 10, no. 6, pp. 6061-6070. [fecha de consulta: 06-06-2024]. ISSN 2088-8708. Disponible en: https://doi.org/10.11591/ijece.v10i6.pp6061-6070. DOI: https://doi.org/10.11591/ijece.v10i6.pp6061-6070

OCHODEK, Miroslaw; HEBIG, Regina; MEDING, Wilhelm; FROST, Gert; STARON, Miroslaw. Recognizing lines of code violating company-specific coding guidelines using machine learning: A Method and Its Evaluation. En: Empirical Software Engineering [en línea]. Springer, 2020, v. 25, no. 1, pp. 220-265. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1007/s10664-019-09769-8. DOI: https://doi.org/10.1007/s10664-019-09769-8

NGUYEN-DUC, Anh; VIET, Manh; LUONG, Quan; NGUYEN, Kiem; NGUYEN, Anh. On the adoption of static analysis for software security assessment–A case study of an open-source e-government project. En: Computers & Security [en línea]. Elsevier, 2021, v. 111, pp. 1-14. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1016/j.cose.2021.102470. DOI: https://doi.org/10.1016/j.cose.2021.102470

RANTALA, Leevi; MÄNTYLÄ, Mika; LENARDUZZI, Valentina. Keyword-labeled self-admitted technical debt and static code analysis have significant relationship but limited overlap. En: Software Quality Journal [en línea]. Springer, 2023, v. 32, pp. 91-429. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1007/s11219-023-09655-z. DOI: https://doi.org/10.1007/s11219-023-09655-z

PARK, Jihyun; SHIN, Jaeyoung; CHOI, Byoungju. Reduction of False Positives for Runtime Errors in C/C++ Software: A Comparative Study. En: Electronics [en línea]. MDPI, 2023, v. 12, no. 3518, pp. 1-12. [fecha de consulta: 06-06-2024]. ISSN 2079-9292. Disponible en: https://doi.org/10.3390/electronics12163518. DOI: https://doi.org/10.3390/electronics12163518

SCULL, Angel; NICOLAY, Jens; GONZALEZ, Elisa. Deriving Static Security Testing from Runtime Security Protection for Web Applications. En: Art, Science, and Engineering of Programming [en línea]. AOSA, 2022, v. 6, no. 1, pp. 1-41. [fecha de consulta: 06-06-2024]. ISSN 2473-7321. Disponible en: https://doi.org/10.22152/programming-journal.org/2022/6/1. DOI: https://doi.org/10.22152/programming-journal.org/2022/6/1

HEGEDUS, Péter; FERENC, Rudolf. Static Code Analysis Alarms Filtering Reloaded: A New Real-World Dataset and its ML-Based Utilization. En: IEEE Access [en línea]. IEEE, 2022, v. 10, pp. 55090–55101. [fecha de consulta: 06-06-2024]. Disponible en: https://doi.org/10.1109/ACCESS.2022.3176865. DOI: https://doi.org/10.1109/ACCESS.2022.3176865

Downloads

Published

2024-12-19

Issue

Vol. 11 No. 2 (2024): Diciembre 2024

Section

Review

License

Copyright (c) 2024 Armando Tipacti Garcia

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

El titular de los derechos de autor de la obra, otorga derechos de uso a los lectores mediante la licencia Creative Commons Atribución-NoComercial-CompartirIgual 4.0 Internacional. Esto permite el acceso gratuito inmediato a la obra y permite a cualquier usuario leer, descargar, copiar, distribuir, imprimir, buscar o vincular a los textos completos de los artículos, rastrearlos para su indexación, pasarlos como datos al software o usarlos para cualquier otro propósito legal.

Cuando la obra es aprobada y aceptada para su publicación, los autores conservan los derechos de autor sin restricciones, cediendo únicamente los derechos de reproducción, distribución para su explotación en formato de papel, así como en cualquier otro soporte magnético, óptico y digital.

How to Cite

Tipacti Garcia, A. (2024). Static Security Testing Models in Inefficiency Reduction Identification of SQL Injection in Web Applications. UPSE Scientific and Technological Magazine, 11(2), 130-144. https://doi.org/10.26423/rctu.v11i2.800