2021
1.
Nembhard, Fitzroy D.; Carvalho, Marco M.
Conversational Code Analysis: The Future of Secure Coding Journal Article
In: IntechOpen, London, 2021.
Abstract | Links | BibTeX | Tags: Google Assistant, NLP, software security, virtual assistant, voice assistant, vulnerability detection
@article{nembhard2021conversational,
title = {Conversational Code Analysis: The Future of Secure Coding},
author = {Fitzroy D. Nembhard and Marco M. Carvalho},
doi = {10.5772/intechopen.98362},
year = {2021},
date = {2021-06-08},
urldate = {2021-06-08},
journal = {IntechOpen, London},
abstract = {The area of software development and secure coding can benefit significantly from advancements in virtual assistants. Research has shown that many coders neglect security in favor of meeting deadlines. This shortcoming leaves systems vulnerable to attackers. While a plethora of tools are available for programmers to scan their code for vulnerabilities, finding the right tool can be challenging. It is therefore imperative to adopt measures to get programmers to utilize code analysis tools that will help them produce more secure code. This chapter looks at the limitations of existing approaches to secure coding and proposes a methodology that allows programmers to scan and fix vulnerabilities in program code by communicating with virtual assistants on their smart devices. With the ubiquitous move towards virtual assistants, it is important to design systems that are more reliant on voice than on standard point-and-click and keyboard-driven approaches. Consequently, we propose MyCodeAnalyzer, a Google Assistant app and code analysis framework, which was designed to interactively scan program code for vulnerabilities and flaws using voice commands during development. We describe the proposed methodology, implement a prototype, test it on a vulnerable project and present our results.},
keywords = {Google Assistant, NLP, software security, virtual assistant, voice assistant, vulnerability detection},
pubstate = {published},
tppubtype = {article}
}
The area of software development and secure coding can benefit significantly from advancements in virtual assistants. Research has shown that many coders neglect security in favor of meeting deadlines. This shortcoming leaves systems vulnerable to attackers. While a plethora of tools are available for programmers to scan their code for vulnerabilities, finding the right tool can be challenging. It is therefore imperative to adopt measures to get programmers to utilize code analysis tools that will help them produce more secure code. This chapter looks at the limitations of existing approaches to secure coding and proposes a methodology that allows programmers to scan and fix vulnerabilities in program code by communicating with virtual assistants on their smart devices. With the ubiquitous move towards virtual assistants, it is important to design systems that are more reliant on voice than on standard point-and-click and keyboard-driven approaches. Consequently, we propose MyCodeAnalyzer, a Google Assistant app and code analysis framework, which was designed to interactively scan program code for vulnerabilities and flaws using voice commands during development. We describe the proposed methodology, implement a prototype, test it on a vulnerable project and present our results.
2018
2.
Nembhard, Fitzroy; Carvalho, Marco; Eskridge, Thomas
Extracting Knowledge from Open Source Projects to Improve Program Security Proceedings Article
In: SoutheastCon 2018, pp. 1-7, 2018.
Abstract | Links | BibTeX | Tags: code repositories, code security, data mining, knowledge extraction, software security, SQL injection, SQLI, text mining
@inproceedings{ExtractingKnowledge,
title = {Extracting Knowledge from Open Source Projects to Improve Program Security},
author = {Fitzroy Nembhard and Marco Carvalho and Thomas Eskridge},
doi = {10.1109/SECON.2018.8478906},
year = {2018},
date = {2018-04-19},
urldate = {2018-04-19},
booktitle = {SoutheastCon 2018},
pages = {1-7},
abstract = {Open source repositories contain a wealth of unstructured and unlabeled data from which useful knowledge can be extracted. This knowledge can be applied in a wide range of applications such as discovering how programmers improve their programs over time and finding patterns to detect and mitigate vulnerabilities. In this work, we propose to use text mining and machine learning to extract knowledge from open source code in order to categorize and structure source code. By mining a subset (over 600,000 Java files) of a 2011 dataset that contains over 70,000 open source projects, we present a case study showing that useful patterns can be extracted from source code and that these patterns can be used to create a recommender system to help programmers avoid unsafe practices. We demonstrate the utility of our proposed techniques by applying them to the detection of SOL Injection.},
keywords = {code repositories, code security, data mining, knowledge extraction, software security, SQL injection, SQLI, text mining},
pubstate = {published},
tppubtype = {inproceedings}
}
Open source repositories contain a wealth of unstructured and unlabeled data from which useful knowledge can be extracted. This knowledge can be applied in a wide range of applications such as discovering how programmers improve their programs over time and finding patterns to detect and mitigate vulnerabilities. In this work, we propose to use text mining and machine learning to extract knowledge from open source code in order to categorize and structure source code. By mining a subset (over 600,000 Java files) of a 2011 dataset that contains over 70,000 open source projects, we present a case study showing that useful patterns can be extracted from source code and that these patterns can be used to create a recommender system to help programmers avoid unsafe practices. We demonstrate the utility of our proposed techniques by applying them to the detection of SOL Injection.