Vulnerability Detection Methodology in Software Written in Several Programming Languages
Boris Aronovich POZIN,
Polina Andreevna BORODUSHKINA,
Dmitry Antonovich KOROTKOV,
Michael Alexandrovich FEDOROV,
Aynur Fuatovich MURATOV https://doi.org/10.15514/ISPRAS-2025-37(1)-7
Abstract
Due to the need to increase labor productivity when analyzing (marking up) the results of an automated vulnerability search in programs conducted using SAST (Static Application Security Testing) tool, there is a problem of a shortage in the market of highly qualified analysts to mark up the results. The paper describes a developed technique for finding vulnerabilities in software written in several programming languages (C, C++, Java, Python, Go). During its development, an analysis of all automatically detectable detectors in programs in these languages and elements of their structures to be analyzed was carried out. The detectors are ordered according to the classification of the regulator. The application of the methodology allows reducing the qualification requirements for analysts conducting markup and training such specialists in developing companies.
Supporting agencies: Authors are grateful to Dr. A.A. Belevantsev for a fruitful discussion of the work.
About the Authors
Boris Aronovich POZIN
Ivannikov Institute for System Programming of the Russian Academy of Sciences,
HSE University,
«EC-leasing» Co
Russian Federation
Russian Federation
Dr. Sci. (Tech.), Professor, Chief Researcher at the Ivannikov Institute for System Programming of the Russian Academy of Sciences, Professor of the Basic Department of CJSC EС-Leasing at the Higher School of Economics, Technical Director of CJSC EС-Leasing. Research interests: software engineering, life cycle ensuring systems for trusted software, automated software testing.
Polina Andreevna BORODUSHKINA
HSE University
Russian Federation
Russian Federation
Third-year student of the National Research University Higher School of Economics, A.N. Tikhonov Moscow Institute of Electronics and Mathematics, Department of Applied Mathematics. A.N. Tikhonov Moscow Institute of Electronics and Mathematics, Department of Applied Mathematics. Her research interests are study of secure software design using SAST, analysis of existing threats and their classification in C/C++ programming languages.
Dmitry Antonovich KOROTKOV
HSE University
Russian Federation
Russian Federation
Fourth-year student of the National Research University Higher School of Economics, A.N. Tikhonov Moscow Institute of Electronics and Mathematics, Department of Electronic Engineering. A.N. Tikhonov Moscow Institute of Electronics and Mathematics, Department of Electronic Engineering. Research interests: design of secure software using Static Analysis (SAST), verification of static analysis results, analysis of existing threats and their classification in Java programming language.
Michael Alexandrovich FEDOROV
HSE University
Russian Federation
Russian Federation
Fourth-year student of the National Research University Higher School of Economics, A.N. Tikhonov Moscow Institute of Electronics and Mathematics, Department of Electronic Engineering. A.N. Tikhonov Moscow Institute of Electronics and Mathematics, Department of Electronic Engineering. Research interests: design of secure software using Static (SAST) and Compositional (SCA) analyses, front-end software development, design of secure architecture of Operating Systems.
Aynur Fuatovich MURATOV
HSE University
Russian Federation
Russian Federation
Third year student of the National Research University Higher School of Economics, A.N. Tikhonov Moscow Institute of Electronics and Mathematics, Department of Computer Engineering. A.N. Tikhonov Moscow Institute of Electronics and Mathematics, Department of Computer Engineering. Research interests: studying secure software design using SAST, analyzing existing threats and their classification in Go programming language.
References
1. "Белеванцев А. (ИСП РАН) для форума "Russia DevOps Report - 2023”. [Электронный ресурс]. – 2023 – URL: https://russiadevopsreport.ru/. – (Дата обращения: 13.10.2024)
2. ГОСТ Р 71207-2024. Защита информации. Разработка безопасного программного обеспечения. Статический анализ программного обеспечения. Общие требования.
3. PVS-Studio: Ложноположительные срабатывания статического анализатора кода. [Электронный ресурс]. – 2021 – URL: https://pvs-studio.ru/ru/blog/terms/6461/. – (Дата обращения: 03.11.2024)
4. Иванников В.П., Белеванцев А.А., Бородин А.Е., Игнатьев В.Н., Журихин Д.М., Аветисян А.И., Леонов М.И. Статический анализатор Svace для поиска дефектов в исходном коде программ. Труды Института системного программирования РАН. 2014;26(1): c.231-250. / Ivannikov V.P., Belevantsev A.A., Borodin A.E., Ignatiev V.N., Zhurikhin D.M., Avetisyan A.I., Leonov M.I. Svace static analyzer for searching for defects in program source code. Proceedings of the Institute of System Programming of the Russian Academy of Sciences. 2014;26(1): p.231-250. DOI: https://doi.org/10.15514/ISPRAS-2014-26(1)-7.
5. Белеванцев А., Аветисян А. Многоуровневый статический анализ для поиска закономерностей ошибок и дефектов в исходном коде. В: Петренко А., Воронков А. (ред.) Перспективы системной информатики. PSI 2017. Конспекты лекций по информатике, том 10742, стр. 28–42. /Belevantsev, A., Avetisyan, A. Multi-level Static Analysis for Finding Error Patterns and Defects in Source Code. В: Petrenko, A., Voronkov, A. (ред.) Perspectives of System Informatics. PSI 2017. Lecture Notes in Computer Science, vol 10742, p. 28–42. Springer, Cham, 2018, DOI:10.1007/978-3-319-74313-4_3.
6. Positive Technologies: Positive Technologies: раскрытие уязвимостей и опыт взаимодействия исследователей и вендоров в 2022–2023 годах. [Электронный ресурс]. – 2024 – URL: https://www.ptsecurity.com/ru-ru/research/analytics/vulnerability-disclosure-and-researcher-vendor-interaction-experience-in-2022-2023/. – (Дата обращения: 04.11.2024)
7. ГОСТ Р ИСО/МЭК 12207-2010. Информационная технология. Системная и программная инженерия. Процессы жизненного цикла программных средств.
8. ГОСТ Р 56939–202Х. Защита информации. Разработка безопасного программного обеспечения. Общие требования.
9. ГОСТ Р ИСО/МЭК 27034. Информационная технология. Методы и средства обеспечения безопасности. Безопасность приложений. Часть 1. Обзор и общие понятия.
10. ГОСТ Р 50922-2006. Защита информации. Основные термины и определения.
11. ГОСТ Р 58412-2019. Защита информации. Разработка безопасного программного обеспечения. Угрозы безопасности информации при разработке программного обеспечения.
12. КонсультантПлюс: (ФСТЭК) Общая характеристика уязвимостей прикладного программного обеспечения. [Электронный ресурс]. – 2008 – URL: https://www.consultant.ru/document/cons_doc_LAW_99662/2da3bb1b6c61f5acbbefcb29ae7dc99615ce0d05/.– (Дата обращения: 20.10.2024)
13. PVS-Studio: Сортировка предупреждений статических анализаторов по приоритету при поиске и исправлении программных ошибок. [Электронный ресурс]. – 2016 – URL: https://habr.com/ru/companies/pvs-studio/articles/305532/. – (Дата обращения: 03.11.2024)
14. Б. Позин. Автоматизация и экономика для обеспечения жизненного цикла безопасного ПО., Информационная безопасность, №4, 2024, с.60/ B.Pozin. Automation and Economics for Secure Software Life Cycle Assurance., Information Security, No.4, 2024, p.60.
15. Common Weakness Enumeration [Электронный ресурс]. – 2023 – URL: https://cwe.mitre.org/about/new_to_cwe.html. – (Дата обращения: 02.11.2024)
Review
For citations:
POZIN B.A., BORODUSHKINA P.A., KOROTKOV D.A., FEDOROV M.A., MURATOV A.F. Vulnerability Detection Methodology in Software Written in Several Programming Languages. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2025;37(1):121-132. (In Russ.) https://doi.org/10.15514/ISPRAS-2025-37(1)-7
Email this article 