This presentation describes a review of security APIs and the research was completed by CREST, University of Adelaide, CSIRO Data61, and Cyber Security CRC.
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Detecting Misuses of Security APIs: A Systematic Review
1. Detecting Misuses of Security APIs:
A Systematic Review
July 2023
Zahra Mousavi
CREST, University of Adelaide
Cyber Security Cooperative
Research Centre,
CSIRO/Data61
Chadni Islam
Queensland University of
Technology
Kristen Moore
CSIRO/Data61
Sharif Abuadbba
CSIRO/Data61
M. Ali Babar
CREST, University
of Adelaide
2. Data Breaches
Introduction Methodology Results Conclusion
2
https://www.marketingmag.com.au/news/australia-is-the-9th-most-data-breached-country-of-2022/
names,
birthdates,
home addresses,
phone and email
contacts,
passport and
driving license
numbers
10 million
customers -
40% of the
population Software
Vulnerabilities
3. Developer
Secure Software Development
Misuse !
Allow All Hostnames
Security API
93% of Android applications are
not fully compliant with OAuth
guidelines (Sharif et al. 2022).
OpenSSL
Personal Information
https://hallandwilcox.com.au/thinking/no-optus-australias-largest-data-breach/
3
User
Attacker
Authentication
Authorization
Data Confidentiality
etc.
Security
APIs
Introduction Methodology Results Conclusion
4. Developers Support and Requirements
Security API Current Solutions and
Existing Challenges
Misuses of
Security APIs
No Study Available!
4
Developer
Introduction Methodology Results Conclusion
5. Systematic Literature Review (SLR)
Detecting Misuses of Security APIs: A Systematic Review
5
Review protocol (Kitchenham and Charters 2007)
1. Defining Research
Objective & Questions
2. Defining Search
String and Executing
it on Databases
3. Selecting Studies
based on Inclusion-
Exclusion Criteria
4. Extracting Data
from Selected Studies
5. Data Analysis using
Thematic Analysis
Introduction Methodology Results Conclusion
6. Research Questions
What security APIs have been studied by researchers?
What are misuses of security APIs?
What types of techniques have been used to detect misuses?
How these techniques have been evaluated?
6
Introduction Methodology Results Conclusion
9. Open Issues and Research Gaps
Introduction LiteratureReview Problem RQs and Studies Conclusion
9
Need for Applying
State-of-the-art AI-
based Techniques
Need for Human-
Centric Models
ML & DL techniques
NLP techniques Secure Coding
More realistic threat model
Misuse Repair
Introduction Methodology Results Conclusion
10. Significance and Benefits
Our research effort is the first attempt to systematically review the literature on
this topic, providing an organized evidence-based body of knowledge.
Through a comprehensive analysis of 69 primary studies, we identified key trends
in security API misuse detection research
Researchers can leverage the identified taxonomies and research areas requiring
attention to advance their research.
Practitioners can benefit from selecting appropriate techniques, improving their tools
through best practices.
10
Introduction LiteratureReview Problem RQs and Studies Conclusion
Introduction Methodology Results Conclusion
11. References
• Zhang, Ying, Md Mahir Asef Kabir, Ya Xiao, Danfeng Yao, and Na Meng. "Automatic Detection of
Java Cryptographic API Misuses: Are We There Yet?." IEEE Transactions on Software Engineering,
2022.
• Ami, Amit Seal, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, and Adwait
Nadkarni. "Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection
Techniques." In 2022 IEEE Symposium on Security and Privacy (SP), pp. 614-631. IEEE, 2022.
• Sharif, Amir, Roberto Carbone, Giada Sciarretta, and Silvio Ranise. "Best current practices for
OAuth/OIDC Native Apps: A study of their adoption in popular providers and top-ranked
Android clients." Journal of Information Security and Applications 65 (2022): 103097.
• Afrose, Sharmin, Ya Xiao, Sazzadur Rahaman, Barton P. Miller, and Danfeng Yao. "Evaluation of
static vulnerability detection tools with Java cryptographic API benchmarks." IEEE Transactions on
Software Engineering 49, no. 2 (2022): 485-497.
11
12. Questions and Comments
Zahra Mousavi
CREST – Centre for Research on
Engineering Software Technologies
The University of Adelaide, Australia
Seyedehzahra.mosavi@adelaide.edu.au