SCRAP - Secure Code Review Automated Platform

  • A prototype for the automated evaluation of computer science students's PHP code submissions regarding vulnerabilities and to provide feedback on how to fix them.
Master Thesis

Location, Date

Wien, Österreich, 28 April 2020

Keywords

software security education, secure code, static code analysis, F/LOSS toolchain, IT Security

Abstract

One of the biggest weaknesses in cybersecurity lies within the “human infrastructure” (Hadnagy, 2011, 3). While this usually leads to security awareness trainings of employees and other organisational issues, the awareness for secure code among developers is too often neglected. A major lever to improve information security is to improve the quality of code in terms of secure coding. Based on this situation, my thesis investigates the feasibility of using Free/Libre and Open Source Software (F/LOSS) tools, to build a toolchain and feedback generation platform, that could be used in introductory programming courses to add incentives for secure coding awareness and adoption. An evaluation of 7 out of 19 found F/LOSS static analysis tools for PHP code analysis, shows that only 2 are in part fit for secure coding specific analysis. However, several of those tools provide opportunities for extension and adaptation. The use of 2 selected tools in the SCRAP prototype provides a starting point for further potential research. The SCRAP prototype, that was built in the course of this thesis, consists of an OpenAPI 3 conforming API, a corresponding prototype implementation of a RESTful web service and a prototype web UI, which are documented on the project website https://scrap.tantemalkah.at, and are accessible under an AGPLv3 license. It is easily extendible with additional scanners and can be used for further research into software security education. While the extensive literature review reveals that the field of software security education still needs a lot more attention, SCRAP adds a new approach. Yet its adoption necessitates a sustainable long-term approach and socio-technical adaptations in organisations who want to facilitate it, as well as more open and cooperative research in software security education is needed to improve secure coding capabilities throughout the educational sector and in term the IT industry in general.

Associated Media Files

  • Document
  • Image
Published By: Andrea Klaura | Universität für Angewandte Kunst Wien | Publication Date: 09 May 2022, 10:58 | Edit Date: 15 January 2025, 08:36