Secure coding through integration of public information security sources to eclipse development environment

Abstract

The use of open source components in software development has been growing at a rapid pace for a number of years. This increase in use of open source software is accompanied by an increase in the risk of security vulnerabilities. With an extensive amount of research and time spent towards the development of tools to help mitigate security vulnerabilities in developers' own code, the issue of identifying vulnerabilities in the open source components they use has been rather neglected by comparison. Public security source such as NVD, CVE and CWE already contain an enormous amount of data on both security vulnerabilities in general, as well as specific known instances of vulnerabilities in software. The primary goal of this thesis is to develop a plugin for the Eclipse development environment which seeks to connect developers to these public security sources directly in their IDE. The plugin will specifically be targeted at maven projects, and will help mitigate potential vulnerabilities by scanning the dependencies of a project and finding any potential vulnerability data for them registered in the NVD. The plugin will be evaluated by utilizing open source dependencies and projects in various tests which seek to identify its performance related to soundness and completeness, as well as runtime performance. The results show a precision of 93%, a recall of 65% and an accuracy of 80%. The runtime performance is shown to be moderate with a linear growth depending on the number of dependencies being scanned. This thesis contributes to research by shedding a light on an under-developed field of software security mitigation and proposes a prototype plugin to help solve the issue.