Security bugs are errors present in source code, usually locally in a single line of code or slightly distributed. Most of these issues are likely to be SQL Injection and Cross-site Scripting vulnerabilities. They are fundamentally errors in coding and because all of them follow the same specific patterns, there are different types of technologies able to detect them automatically, with varying levels of accuracy.
These tools can even report the file and line where the security bug has been found, making it simple for software developers to resolve.
However, several details should be taken into account:
- Accuracy: Depending on the type of tool, the accuracy of security bug detection might be far from perfect, which may lead to a waste of resources trying to solve false positives.
- Number of vulnerabilities: When first used, these tools might report thousands of vulnerabilities, so it is important to be able to sort them as the workforce dedicated to solving these issues will be limited and it is critical to fix those of highest risk.
Hdiv provides a solution to fight against security bugs focusing on two aspects:
- Detection: Hdiv provides accurate security bug detection (100% in OWASP Benchmark tool) so that developers know the exact file and line of each vulnerability, making them easy to fix. Hdiv is integrated within the Software Development Life Cycle so that programmers can detect such issues during the development process.
- Protection: Due to its web information flow control system, Hdiv can protect the application against most malicious attacks, preventing such things as parameter tampering, which is closely linked to many instances of security bug exploitation. By using Hdiv, in most situations these vulnerabilities cannot be exploited. This allows us to focus on those security bugs that can be attacked, primarily those coming from client side data (textfields)
i.e. A SQL vulnerability protected by Hdiv integrity validation (score 1, in green) and another (which the developer should focus on first) coming from a textfield (score 9 in red)