New open source API bug detection tool improves application security testing
Software development today usually involves the use of third-party APIs, libraries or frameworks that are complex, rapidly evolving, and sometimes poorly documented.
Security testing solutions company GrammaTech is launching its new Swap Detector, an open-source checker that detects application programming interface (API) usage errors.
Developed as part of a research project sponsored by the Department of Homeland Security Science and Technology Directorate Static Tool Analysis Modernization Project (STAMP), Swap Detector improves application security testing for DevOps teams.
"Traditional static-analysis techniques do not take advantage of the vast wealth of information on what represents error-free coding practices available in the open-source domain," says Alexey Loginov, vice president of research at GrammaTech. "With Swap Detector we applied Big Data analysis techniques, what we call Big Code analysis, to the Fedora RPM open-source repository to baseline correct API usage. This allowed us to develop error-detection capabilities that far exceed the scalability and accuracy of conventional approaches to program analysis."
The Swap Detector interface integrates with a variety of static analysis tools and although initially focused on C/C++ programs, it's applicable to programs in other languages and is especially beneficial for languages that are interpreted and not compiled.
It uses multiple error-detection techniques, layered together to increase accuracy. For example, comparing argument names used in call sites with the parameter names used in corresponding declarations. In addition, it uses 'Big Code' techniques, applying statistical information about usages of known good API-usage patterns collected from a large sample of code and flagging usages that are statistically anomalous as potential errors. To improve the precision of the reported warnings, Swap Detector also applies false-positive reduction strategies to the output of both techniques.
Swap Detector is available now via GitHub.