SecuCheck

Paper accepted at Empirical Software Engineering 2022 Springer: fluently specifying taint-flow queries with fluentTQL
Paper accepted at SCAM 2021 Engineering track: SecuCheck: Engineering configurable taint analysis for software developers
The SecuCheck Tooling is open source and includes several components:
- SecuCheck core analysis: Github project
- SecuCheck Magpie Bridge Server providing plugin support for multiple IDEs: Github project
- SecuCheck catalog: Github project
Interviews with Software Developers
- We interviewed 9 software developers from 5 companies to find out what developers think about existing tools for security checks, what are the existing problems, and what is their security awareness level.
- Summary
Static Analysis Results Interchange Format (SARIF)
- We integrated SARIF into CogniCrypt tool. We summarized the standard and documented our convertor to ease the integration of the standard in other static analysis tools.
- Technical report: Integration of the Static Analysis Results Interchange Format in CogniCrypt
SWAN: Security Methods for Weakness Detection
- To detect specific security vulnerabilities, taint analyses must be configured with specific methods. For example, executeQuery() can be a sink for CWE-89 (SQL injection), but not for CWE-601 (open redirect). SWAN uses supervised machine-learning to automatically detect such methods from Java codebase and classifies them into different CWEs. SWAN_assist is an IntelliJ plugin that allows the developer to manually train the classifier through active learning and improve the precision of the approach.
- Publication: Codebase-Adaptive Detection of Security-Relevant Methods, Goran Piskachev, Lisa Nguyen Quang Do, Eric Bodden, , International Symposium on Software Testing and Analysis 2019
- Source code: SWAN and SWAN_assist [github link]
- Demonstration: SwanAssist: Semi-Automated Detection of Code-Specific, Security-Relevant Methods, Goran Piskachev, Lisa Nguyen Quang Do, Oshando Johnson, and Eric Bodden, Automated Software Engineering 2019 [video] [long version video]
- Technical report: Codebase-Adaptive Detection of Security-Relevant Methods

Project Updates by secucheck_swc

Why SecuCheck?

Results

Team

Goran Piskachev

Ranjith Krishnamurthy

Prof. Dr. Eric Bodden

Oshando Johnson

Alumni

Ingo Budde

Ashish Shukla

Dr. Johannes Späth

Partners

Funded by

Contact