SlideShare a Scribd company logo

Detecting Misuses of Security APIs: A Systematic Review

Download as PPTX, PDF
C
CREST @ University of Adelaide

This presentation describes a review of security APIs and the research was completed by CREST, University of Adelaide, CSIRO Data61, and Cyber Security CRC.

Software
1 of 12
Detecting Misuses of Security APIs: A Systematic Review July 2023 Zahra Mousavi CREST, University of Adelaide Cyber Security Cooperative Research Centre, CSIRO/Data61 Chadni Islam Queensland University of Technology Kristen Moore CSIRO/Data61 Sharif Abuadbba CSIRO/Data61 M. Ali Babar CREST, University of Adelaide
Data Breaches Introduction Methodology Results Conclusion 2 https://www.marketingmag.com.au/news/australia-is-the-9th-most-data-breached-country-of-2022/ names, birthdates, home addresses, phone and email contacts, passport and driving license numbers 10 million customers - 40% of the population Software Vulnerabilities
Developer Secure Software Development Misuse ! Allow All Hostnames Security API 93% of Android applications are not fully compliant with OAuth guidelines (Sharif et al. 2022). OpenSSL Personal Information https://hallandwilcox.com.au/thinking/no-optus-australias-largest-data-breach/ 3 User Attacker Authentication Authorization Data Confidentiality etc. Security APIs Introduction Methodology Results Conclusion
Developers Support and Requirements Security API Current Solutions and Existing Challenges Misuses of Security APIs No Study Available! 4 Developer Introduction Methodology Results Conclusion
Systematic Literature Review (SLR) Detecting Misuses of Security APIs: A Systematic Review 5 Review protocol (Kitchenham and Charters 2007) 1. Defining Research Objective & Questions 2. Defining Search String and Executing it on Databases 3. Selecting Studies based on Inclusion- Exclusion Criteria 4. Extracting Data from Selected Studies 5. Data Analysis using Thematic Analysis Introduction Methodology Results Conclusion
Research Questions What security APIs have been studied by researchers? What are misuses of security APIs? What types of techniques have been used to detect misuses? How these techniques have been evaluated? 6 Introduction Methodology Results Conclusion
Study Selection Database Search Duplication Removal Selection based on Title & Abstract Selection based on Full Text Forward & Backward Snowballing 69 Studies 7 Introduction Methodology Results Conclusion
•Metrics (10) •Accuracy (e.g., false positives) •Efficiency (e.g., runtime) •Public Benchmarks (5) •AI-based (3) •Heuristic-based (66) •Static (44) •Dynamic (9) •Hybrid (13) SLR Findings 39 Misuse Types •Cryptography Primitives (6) •SSL/TLS (6) •OAuth (10) 6 Security APIs First 3 most studied: •Cryptography Primitives (43) •SSL/TLS (26) •OAuth (9) 8 RQ3 Detection Technique RQ4 Evaluation RQ2 Misuses RQ1 Security APIs Introduction Methodology Results Conclusion
Open Issues and Research Gaps Introduction LiteratureReview Problem RQs and Studies Conclusion 9 Need for Applying State-of-the-art AI- based Techniques Need for Human- Centric Models ML & DL techniques NLP techniques Secure Coding More realistic threat model Misuse Repair Introduction Methodology Results Conclusion
Significance and Benefits Our research effort is the first attempt to systematically review the literature on this topic, providing an organized evidence-based body of knowledge. Through a comprehensive analysis of 69 primary studies, we identified key trends in security API misuse detection research Researchers can leverage the identified taxonomies and research areas requiring attention to advance their research. Practitioners can benefit from selecting appropriate techniques, improving their tools through best practices. 10 Introduction LiteratureReview Problem RQs and Studies Conclusion Introduction Methodology Results Conclusion
References • Zhang, Ying, Md Mahir Asef Kabir, Ya Xiao, Danfeng Yao, and Na Meng. "Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?." IEEE Transactions on Software Engineering, 2022. • Ami, Amit Seal, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni. "Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques." In 2022 IEEE Symposium on Security and Privacy (SP), pp. 614-631. IEEE, 2022. • Sharif, Amir, Roberto Carbone, Giada Sciarretta, and Silvio Ranise. "Best current practices for OAuth/OIDC Native Apps: A study of their adoption in popular providers and top-ranked Android clients." Journal of Information Security and Applications 65 (2022): 103097. • Afrose, Sharmin, Ya Xiao, Sazzadur Rahaman, Barton P. Miller, and Danfeng Yao. "Evaluation of static vulnerability detection tools with Java cryptographic API benchmarks." IEEE Transactions on Software Engineering 49, no. 2 (2022): 485-497. 11
Questions and Comments Zahra Mousavi CREST – Centre for Research on Engineering Software Technologies The University of Adelaide, Australia Seyedehzahra.mosavi@adelaide.edu.au

Recommended

Malicious Link Detection System
Malicious Link Detection SystemMalicious Link Detection System
Malicious Link Detection SystemIRJET Journal
 
A Model for Encryption of a Text Phrase using Genetic Algorithm
A Model for Encryption of a Text Phrase using Genetic AlgorithmA Model for Encryption of a Text Phrase using Genetic Algorithm
A Model for Encryption of a Text Phrase using Genetic Algorithmijtsrd
 
Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestrationChadni Islam
 
Thesis presentation ist
Thesis presentation istThesis presentation ist
Thesis presentation istdeep sharma
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
A MODEL BASED APPROACH FOR IMPLEMENTING WLAN SECURITY
A MODEL BASED APPROACH FOR IMPLEMENTING WLAN SECURITY A MODEL BASED APPROACH FOR IMPLEMENTING WLAN SECURITY
A MODEL BASED APPROACH FOR IMPLEMENTING WLAN SECURITY AM Publications
 

Recommended

Malicious Link Detection System
Malicious Link Detection SystemMalicious Link Detection System
Malicious Link Detection SystemIRJET Journal
 
A Model for Encryption of a Text Phrase using Genetic Algorithm
A Model for Encryption of a Text Phrase using Genetic AlgorithmA Model for Encryption of a Text Phrase using Genetic Algorithm
A Model for Encryption of a Text Phrase using Genetic Algorithmijtsrd
 
Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestrationChadni Islam
 
Thesis presentation ist
Thesis presentation istThesis presentation ist
Thesis presentation istdeep sharma
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
A MODEL BASED APPROACH FOR IMPLEMENTING WLAN SECURITY
A MODEL BASED APPROACH FOR IMPLEMENTING WLAN SECURITY A MODEL BASED APPROACH FOR IMPLEMENTING WLAN SECURITY
A MODEL BASED APPROACH FOR IMPLEMENTING WLAN SECURITY AM Publications
 
International Journal on Cryptography and Information Security (IJCIS)
International Journal on Cryptography and Information Security (IJCIS)International Journal on Cryptography and Information Security (IJCIS)
International Journal on Cryptography and Information Security (IJCIS)ijcisjournal
 
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...AM Publications
 
Detection of Attacker using Honeywords
Detection of Attacker using HoneywordsDetection of Attacker using Honeywords
Detection of Attacker using Honeywordsijtsrd
 
Ieee itmsb20
Ieee itmsb20Ieee itmsb20
Ieee itmsb20Juan Carlos Olivares Rojas
 
malicious-use-of-ai.pptx
malicious-use-of-ai.pptxmalicious-use-of-ai.pptx
malicious-use-of-ai.pptxwarlord56
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) MiajackB
 
IRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET Journal
 
Ijisa
IjisaIjisa
Ijisaijfcst journal
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTrupti Shiralkar, CISSP
 
International Journal on Cryptography and Information Security ( IJCIS)
International Journal on Cryptography and Information Security ( IJCIS)International Journal on Cryptography and Information Security ( IJCIS)
International Journal on Cryptography and Information Security ( IJCIS)ijcisjournal
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
 
International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) MiajackB
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...IRJET Journal
 
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptx
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptxPHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptx
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptxRajiArun7
 
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...CREST @ University of Adelaide
 
Making Software and Software Engineering visible
Making Software and Software Engineering visibleMaking Software and Software Engineering visible
Making Software and Software Engineering visibleCREST @ University of Adelaide
 

More Related Content

Similar to Detecting Misuses of Security APIs: A Systematic Review

International Journal on Cryptography and Information Security (IJCIS)
International Journal on Cryptography and Information Security (IJCIS)International Journal on Cryptography and Information Security (IJCIS)
International Journal on Cryptography and Information Security (IJCIS)ijcisjournal
 
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...AM Publications
 
Detection of Attacker using Honeywords
Detection of Attacker using HoneywordsDetection of Attacker using Honeywords
Detection of Attacker using Honeywordsijtsrd
 
malicious-use-of-ai.pptx
malicious-use-of-ai.pptxmalicious-use-of-ai.pptx
malicious-use-of-ai.pptxwarlord56
 
International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) MiajackB
 
IRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET Journal
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTrupti Shiralkar, CISSP
 
International Journal on Cryptography and Information Security ( IJCIS)
International Journal on Cryptography and Information Security ( IJCIS)International Journal on Cryptography and Information Security ( IJCIS)
International Journal on Cryptography and Information Security ( IJCIS)ijcisjournal
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
 
International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) MiajackB
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...IRJET Journal
 
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptx
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptxPHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptx
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptxRajiArun7
 

Similar to Detecting Misuses of Security APIs: A Systematic Review (20)

International Journal on Cryptography and Information Security (IJCIS)
International Journal on Cryptography and Information Security (IJCIS)International Journal on Cryptography and Information Security (IJCIS)
International Journal on Cryptography and Information Security (IJCIS)
 
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...
 
Detection of Attacker using Honeywords
Detection of Attacker using HoneywordsDetection of Attacker using Honeywords
Detection of Attacker using Honeywords
 
Ieee itmsb20
Ieee itmsb20Ieee itmsb20
Ieee itmsb20
 
malicious-use-of-ai.pptx
malicious-use-of-ai.pptxmalicious-use-of-ai.pptx
malicious-use-of-ai.pptx
 
Ijisa
IjisaIjisa
Ijisa
 
Ijisa
IjisaIjisa
Ijisa
 
Ijisa
IjisaIjisa
Ijisa
 
Ijisa
IjisaIjisa
Ijisa
 
International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA)
 
IRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine LearningIRJET- Android Malware Detection using Machine Learning
IRJET- Android Malware Detection using Machine Learning
 
Ijisa
IjisaIjisa
Ijisa
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
 
International Journal on Cryptography and Information Security ( IJCIS)
International Journal on Cryptography and Information Security ( IJCIS)International Journal on Cryptography and Information Security ( IJCIS)
International Journal on Cryptography and Information Security ( IJCIS)
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
 
International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA) International Journal of Information Security and Applications(IJISA)
International Journal of Information Security and Applications(IJISA)
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...
 
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptx
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptxPHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptx
PHISHING ATTACK AND DETECTION WITH MACHINE LEARNING TECHNIQUES.pptx
 

More from CREST @ University of Adelaide

Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...CREST @ University of Adelaide
 
Understanding and Addressing Architectural Challenges of Cloud- Based Systems
Understanding and Addressing Architectural Challenges of Cloud- Based SystemsUnderstanding and Addressing Architectural Challenges of Cloud- Based Systems
Understanding and Addressing Architectural Challenges of Cloud- Based SystemsCREST @ University of Adelaide
 
DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...
DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...
DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...CREST @ University of Adelaide
 
A Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
A Deep Dive into the Socio-Technical Aspects of Delays in Security PatchingA Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
A Deep Dive into the Socio-Technical Aspects of Delays in Security PatchingCREST @ University of Adelaide
 
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...CREST @ University of Adelaide
 
A Decentralised Platform for Provenance Management of Machine Learning Softwa...
A Decentralised Platform for Provenance Management of Machine Learning Softwa...A Decentralised Platform for Provenance Management of Machine Learning Softwa...
A Decentralised Platform for Provenance Management of Machine Learning Softwa...CREST @ University of Adelaide
 
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...CREST @ University of Adelaide
 
Falling for Phishing: An Empirical Investigation into People's Email Response...
Falling for Phishing: An Empirical Investigation into People's Email Response...Falling for Phishing: An Empirical Investigation into People's Email Response...
Falling for Phishing: An Empirical Investigation into People's Email Response...CREST @ University of Adelaide
 
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...CREST @ University of Adelaide
 
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...CREST @ University of Adelaide
 
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...CREST @ University of Adelaide
 
Energy Efficiency Evaluation of Local and Offloaded Data Processing
Energy Efficiency Evaluation of Local and Offloaded Data ProcessingEnergy Efficiency Evaluation of Local and Offloaded Data Processing
Energy Efficiency Evaluation of Local and Offloaded Data ProcessingCREST @ University of Adelaide
 

More from CREST @ University of Adelaide (20)

Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
Mobile Devices: Systemisation of Knowledge about Privacy Invasion Tactics and...
 
Making Software and Software Engineering visible
Making Software and Software Engineering visibleMaking Software and Software Engineering visible
Making Software and Software Engineering visible
 
Understanding and Addressing Architectural Challenges of Cloud- Based Systems
Understanding and Addressing Architectural Challenges of Cloud- Based SystemsUnderstanding and Addressing Architectural Challenges of Cloud- Based Systems
Understanding and Addressing Architectural Challenges of Cloud- Based Systems
 
DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...
DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...
DevSecOps: Continuous Engineering with Security by Design: Challenges and Sol...
 
A Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
A Deep Dive into the Socio-Technical Aspects of Delays in Security PatchingA Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
A Deep Dive into the Socio-Technical Aspects of Delays in Security Patching
 
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...Mining Software Repositories for Security: Data Quality Issues Lessons from T...
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
 
A Decentralised Platform for Provenance Management of Machine Learning Softwa...
A Decentralised Platform for Provenance Management of Machine Learning Softwa...A Decentralised Platform for Provenance Management of Machine Learning Softwa...
A Decentralised Platform for Provenance Management of Machine Learning Softwa...
 
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
 
Falling for Phishing: An Empirical Investigation into People's Email Response...
Falling for Phishing: An Empirical Investigation into People's Email Response...Falling for Phishing: An Empirical Investigation into People's Email Response...
Falling for Phishing: An Empirical Investigation into People's Email Response...
 
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
 
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
Gazealytics: A Unified and Flexible Visual Toolkit for Exploratory and Compar...
 
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
Chen_Reading Strategies for Graph Visualizations that Wrap Around in Torus To...
 
Data Quality for Software Vulnerability Dataset
Data Quality for Software Vulnerability DatasetData Quality for Software Vulnerability Dataset
Data Quality for Software Vulnerability Dataset
 
Mod2Dash Presentation
Mod2Dash PresentationMod2Dash Presentation
Mod2Dash Presentation
 
Run-time Patching and updating Impact Estimation
Run-time Patching and updating Impact EstimationRun-time Patching and updating Impact Estimation
Run-time Patching and updating Impact Estimation
 
ECSA 2023 Ubuntu Case Study
ECSA 2023 Ubuntu Case StudyECSA 2023 Ubuntu Case Study
ECSA 2023 Ubuntu Case Study
 
Energy Efficiency Evaluation of Local and Offloaded Data Processing
Energy Efficiency Evaluation of Local and Offloaded Data ProcessingEnergy Efficiency Evaluation of Local and Offloaded Data Processing
Energy Efficiency Evaluation of Local and Offloaded Data Processing
 
Designing Quality-Driven Blockchain Networks
Designing Quality-Driven Blockchain NetworksDesigning Quality-Driven Blockchain Networks
Designing Quality-Driven Blockchain Networks
 
Privacy Engineering in the Wild
Privacy Engineering in the WildPrivacy Engineering in the Wild
Privacy Engineering in the Wild
 
Security Data Quality Challenges
Security Data Quality ChallengesSecurity Data Quality Challenges
Security Data Quality Challenges
 

Recently uploaded

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

Recently uploaded (20)

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 

Detecting Misuses of Security APIs: A Systematic Review

  • 1. Detecting Misuses of Security APIs: A Systematic Review July 2023 Zahra Mousavi CREST, University of Adelaide Cyber Security Cooperative Research Centre, CSIRO/Data61 Chadni Islam Queensland University of Technology Kristen Moore CSIRO/Data61 Sharif Abuadbba CSIRO/Data61 M. Ali Babar CREST, University of Adelaide
  • 2. Data Breaches Introduction Methodology Results Conclusion 2 https://www.marketingmag.com.au/news/australia-is-the-9th-most-data-breached-country-of-2022/ names, birthdates, home addresses, phone and email contacts, passport and driving license numbers 10 million customers - 40% of the population Software Vulnerabilities
  • 3. Developer Secure Software Development Misuse ! Allow All Hostnames Security API 93% of Android applications are not fully compliant with OAuth guidelines (Sharif et al. 2022). OpenSSL Personal Information https://hallandwilcox.com.au/thinking/no-optus-australias-largest-data-breach/ 3 User Attacker Authentication Authorization Data Confidentiality etc. Security APIs Introduction Methodology Results Conclusion
  • 4. Developers Support and Requirements Security API Current Solutions and Existing Challenges Misuses of Security APIs No Study Available! 4 Developer Introduction Methodology Results Conclusion
  • 5. Systematic Literature Review (SLR) Detecting Misuses of Security APIs: A Systematic Review 5 Review protocol (Kitchenham and Charters 2007) 1. Defining Research Objective & Questions 2. Defining Search String and Executing it on Databases 3. Selecting Studies based on Inclusion- Exclusion Criteria 4. Extracting Data from Selected Studies 5. Data Analysis using Thematic Analysis Introduction Methodology Results Conclusion
  • 6. Research Questions What security APIs have been studied by researchers? What are misuses of security APIs? What types of techniques have been used to detect misuses? How these techniques have been evaluated? 6 Introduction Methodology Results Conclusion
  • 7. Study Selection Database Search Duplication Removal Selection based on Title & Abstract Selection based on Full Text Forward & Backward Snowballing 69 Studies 7 Introduction Methodology Results Conclusion
  • 8. •Metrics (10) •Accuracy (e.g., false positives) •Efficiency (e.g., runtime) •Public Benchmarks (5) •AI-based (3) •Heuristic-based (66) •Static (44) •Dynamic (9) •Hybrid (13) SLR Findings 39 Misuse Types •Cryptography Primitives (6) •SSL/TLS (6) •OAuth (10) 6 Security APIs First 3 most studied: •Cryptography Primitives (43) •SSL/TLS (26) •OAuth (9) 8 RQ3 Detection Technique RQ4 Evaluation RQ2 Misuses RQ1 Security APIs Introduction Methodology Results Conclusion
  • 9. Open Issues and Research Gaps Introduction LiteratureReview Problem RQs and Studies Conclusion 9 Need for Applying State-of-the-art AI- based Techniques Need for Human- Centric Models ML & DL techniques NLP techniques Secure Coding More realistic threat model Misuse Repair Introduction Methodology Results Conclusion
  • 10. Significance and Benefits Our research effort is the first attempt to systematically review the literature on this topic, providing an organized evidence-based body of knowledge. Through a comprehensive analysis of 69 primary studies, we identified key trends in security API misuse detection research Researchers can leverage the identified taxonomies and research areas requiring attention to advance their research. Practitioners can benefit from selecting appropriate techniques, improving their tools through best practices. 10 Introduction LiteratureReview Problem RQs and Studies Conclusion Introduction Methodology Results Conclusion
  • 11. References • Zhang, Ying, Md Mahir Asef Kabir, Ya Xiao, Danfeng Yao, and Na Meng. "Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?." IEEE Transactions on Software Engineering, 2022. • Ami, Amit Seal, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni. "Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques." In 2022 IEEE Symposium on Security and Privacy (SP), pp. 614-631. IEEE, 2022. • Sharif, Amir, Roberto Carbone, Giada Sciarretta, and Silvio Ranise. "Best current practices for OAuth/OIDC Native Apps: A study of their adoption in popular providers and top-ranked Android clients." Journal of Information Security and Applications 65 (2022): 103097. • Afrose, Sharmin, Ya Xiao, Sazzadur Rahaman, Barton P. Miller, and Danfeng Yao. "Evaluation of static vulnerability detection tools with Java cryptographic API benchmarks." IEEE Transactions on Software Engineering 49, no. 2 (2022): 485-497. 11
  • 12. Questions and Comments Zahra Mousavi CREST – Centre for Research on Engineering Software Technologies The University of Adelaide, Australia Seyedehzahra.mosavi@adelaide.edu.au