Abstract
Numerous standards and codes of best practice recommend the implementation of security practices since the early stages of the application development process. Commonly known as ‘security-as-default’, these practices consist of coding while keeping security in mind to start addressing threats and vulnerabilities before integrating security measures becomes too laborious. Hence, these best practices lead to cleaner and safer code. An effective way to find out whether the application is secure is by performing source code analyses. These analyses report weaknesses in the code once run against a predefined set of rules. Consequently, developers can detect and correct these issues, preventing the application from future exploits. A static source code analysis was performed to assess a National Crime Reporting System for a Latin American country’s National Police. The system is comprised of three modules: the mobile app, the desktop app, and the backend service. This paper focuses on the assessment of the desktop module.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Puma Scan (https://www.pumascan.com).
- 2.
Net Security Guard (https://github.com/dotnet-security-guard/roslyn-security-guard).
- 3.
SonarLint (https://www.sonarlint.org/).
- 4.
VisualCodeGrepper (https://sourceforge.net/projects/visualcodegrepp/).
References
Soares, R.R., Naritomi, M.: Understanding high crime rates in Latin America: the role of social and policy factors. https://www.nber.org/chapters/c11831.pdf (2010)
Sutton, H., et al.: Restoring paradise in the Caribbean: combatting violence with numbers. https://publications.iadb.org/en/restoring-paradise-caribbean-combatting-violence-numbers (2017)
Bergeron, J., et al.: Static detection of malicious code in executable programs. https://nnt.es/Static%20Detection%20of%20Malicious %20Code%20in%20Executable%20Programs.pdf (2001)
Louridas, P.: Static code analysis. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1657940 (2006)
Petukhov, A., Kozlov, D.: Detecting security vulnerabilities in web applications using dynamic analysis with penetration testing. https://pdfs.semanticscholar.org/9d33/19d49a52395e37bc6ba29c1e3282c0f0a06a.pdf (2008)
Leff, A., Rayfield, J.T.: Web application development using the model/view/controller design pattern. https://ieeexplore.ieee.org/abstract/document/950428 (2002)
OWASP source code analysis tools. https://www.owasp.org/index.php/Source_Code_Analysis_Tools. Accessed 13 July 2019
Common Weakness Enumeration: CWE-20: Improper input validation. https://cwe.mitre.org/data/definitions/20.html. Accessed 23 June 2019
Dietz, W., et al.: Understanding integer overflow in C/C++. https://dl.acm.org/citation.cfm?id=2743019 (2015)
Hu, W., et al.: Secure and practical defense against code-injection attacks using software dynamic translation. https://dl.acm.org/citation.cfm?id=1134764 (2006)
Common Weakness Enumeration: CWE-327: Use of a broken or risky cryptographic algorithm. https://cwe.mitre.org/data/definitions/327.html. Accessed 07 July 2019
Asad, A., Ali, H.: Working with cryptography. https://link.springer.com/chapter/10.1007/978-1-4842-2860-9_13 (2017)
Andreeva, O., et al.: Industrial control systems vulnerabilities statistics. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/07/07190426/KL_REPORT_ICS_Statistic_vulnerabilities.pdf (2016)
Common Weakness Enumeration: CWE-312: Cleartext storage of sensitive information. https://cwe.mitre.org/data/definitions/312.html. Accessed 13 July 2019
NIST Special Publication 800-53: Security controls and assessment procedures for federal information systems and organizations, Rev. 4. https://nvd.nist.gov/800-53/Rev4/control/SC-13 (2015). Accessed 02 July 2019
Zheng, Y., Zhang, X.: Path sensitive static analysis of web applications for remote code execution vulnerability detection. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6606611 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Martinez, F.G., Dawson, M., Taveras, P. (2020). Assessment of National Crime Reporting System: Detailed Analysis of the Desktop Application. In: Latifi, S. (eds) 17th International Conference on Information Technology–New Generations (ITNG 2020). Advances in Intelligent Systems and Computing, vol 1134. Springer, Cham. https://doi.org/10.1007/978-3-030-43020-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-43020-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-43019-1
Online ISBN: 978-3-030-43020-7
eBook Packages: EngineeringEngineering (R0)