English

Learning Algorithms in Static Analysis of Web Applications

Cryptography and Security 2022-10-17 v1

Abstract

Web applications are distributed applications, they are programs that run on more than one computer and communicate through a network or server. This very distributed nature of web applications, combined with the scale and sheer complexity of modern software systems complicate manual security auditing, while also creating a huge attack surface of potential hackers. These factors are making automated analysis a necessity. Static Application Security Testing (SAST) is a method devised to automatically analyze application source code of large code bases without compiling it, and design conditions that are indicative of security vulnerabilities. However, the problem lies in the fact that the most widely used Static Application Security Testing Tools often yield unreliable results, owing to the false positive classification of vulnerabilities grossly outnumbering the classification of true positive vulnerabilities. This is one of the biggest hindrances to the proliferation of SAST testing, which leaves the user to review hundreds, if not thousands, of potential warnings, and classify them as either actionable or spurious. We try to minimize the problem of false positives by introducing a technique to filter the output of SAST tools. The aim of the project is to apply learning algorithms to the output by analyzing the true and false positives classified by OWASP Benchmark, and eliminate, or reduce the number of false positives presented to the user of the SAST Tool.

Keywords

Cite

@article{arxiv.2210.07465,
  title  = {Learning Algorithms in Static Analysis of Web Applications},
  author = {Akash Nagaraj and Bishesh Sinha and Mukund Sood and Yash Mathur and Sanchika Gupta and Dinkar Sitaram},
  journal= {arXiv preprint arXiv:2210.07465},
  year   = {2022}
}

Comments

This paper was originally written in 2019

R2 v1 2026-06-28T03:36:41.873Z