Security vulnerabilities detection and protection using Eclipse


After a decade of existence, still, Cross-site scripting, SQL Injection and other of Input validation associated security vulnerabilities can cause severe damage once exploited. To analyze this fact, [14] conducted an empirical study, while OWASP and SANS defined their respective risk-based approaches. Taking these results into consideration, three deficiencies can be highlighted: a lack of up skilling developers, a high ratio of false positive findings in security code scanners and an erroneous planning of security corrections. In this paper, we present how using the Eclipse platform and the JDT compiler, a proper tooling can be provided to overcome these deficiencies. We present a static analyzer that assists developers to report these security vulnerabilities. We show as well how we integrate an Aspect Oriented tool for semi-automated correction of these findings. Both tools are designed within an architecture that is monitored by security experts and particularly adequate for agile development.

In 6th Italian Workshop on Eclipse Technologies.