In this paper we present our experience in building security checking and understanding tools for Java, PHP, and JavaScript languages. The main theme of our work is how to make security accessible to application developers, who are typically not well versed in the nuances of secure software development. Therefore, from a tooling perspective, we provide extensions to an integrated development environment (IDE) based on the Eclipse Platform that has the ability to fix and address security problems and issues in a manner consistent with that is currently expected for syntax errors. We provide “easy buttons” and “quick fixes” requiring as few clicks in the IDE as possible to perform reasonable security problem fixes. We rely heavily on static and dynamic analysis, and a repetoire of security policies and coding practices to drive the usability of our tools.We also discuss some of the technical and non-technical challenges that we encountered during the development of our tools.
By: Ted Habeck; Larry Koved; Orlando Marquez; Vugranam C. Sreedhar; Michael Steiner; Wietse Venema; Samuel Weber; Gabriela Cretu; Krishnaprasad Vikram
Published in: RC24243 in 2007
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .