Learning Algorithms in Static Analysis of Web Applications

Abstract: Web applications are distributed applications, they are programs that run on more than one computer and communicate through a network or server. This very distributed nature of web applications, combined with the scale and sheer complexity of modern software systems complicate manual security auditing, while also creating a huge attack surface of potential hackers. These factors are making automated analysis a necessity. Static Application Security Testing (SAST) is a method devised to automatically analyze application source code of large code bases without compiling it, and design conditions that are indicative of security vulnerabilities. However, the problem lies in the fact that the most widely used Static Application Security Testing Tools often yield unreliable results, owing to the false positive classification of vulnerabilities grossly outnumbering the classification of true positive vulnerabilities. This is one of the biggest hindrances to the proliferation of SAST testing, which leaves the user to review hundreds, if not thousands, of potential warnings, and classify them as either actionable or spurious. We try to minimize the problem of false positives by introducing a technique to filter the output of SAST tools. The aim of the project is to apply learning algorithms to the output by analyzing the true and false positives classified by OWASP Benchmark, and eliminate, or reduce the number of false positives presented to the user of the SAST Tool.