Efficient detection of all pointer and array access errors
PLDI '94 Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation
Software unit test coverage and adequacy
ACM Computing Surveys (CSUR)
Symbolic execution and program testing
Communications of the ACM
Pointer analysis: haven't we solved this problem yet?
PASTE '01 Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Token-based scanning of source code for security problems
ACM Transactions on Information and System Security (TISSEC)
Testing with hostile data streams
ACM SIGSOFT Software Engineering Notes
Testing for Software Vulnerability Using Environment Perturbation
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Libsafe: Transparent System-wide Protection Against Buffer Overflow Attacks
DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
CSSV: towards a realistic tool for statically detecting all buffer overflows in C
PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
Using Programmer-Written Compiler Extensions to Catch Security Holes
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Protecting C programs from attacks via invalid pointer dereferences
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
MECA: an extensible, expressive system and language for statically checking security properties
Proceedings of the 10th ACM conference on Computer and communications security
Buffer overrun detection using linear programming and static analysis
Proceedings of the 10th ACM conference on Computer and communications security
Using Program Transformation to Secure C Programs Against Buffer Overflows
WCRE '03 Proceedings of the 10th Working Conference on Reverse Engineering
IEEE Security and Privacy
Identifying Cross Site Scripting Vulnerabilities in Web Applications
WSE '04 Proceedings of the Web Site Evolution, Sixth IEEE International Workshop
Testing static analysis tools using exploitable buffer overflows from open source code
Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
An efficient and backwards-compatible transformation to ensure memory safety of C programs
Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
Testing network-based intrusion detection signatures using mutant exploits
Proceedings of the 11th ACM conference on Computer and communications security
Bypass Testing of Web Applications
ISSRE '04 Proceedings of the 15th International Symposium on Software Reliability Engineering
IEEE Security and Privacy
Making the Kernel Responsible: A New Approach to Detecting & Preventing Buffer Overflows
IWIA '05 Proceedings of the Third IEEE International Workshop on Information Assurance
Search-based software test data generation: a survey: Research Articles
Software Testing, Verification & Reliability
A framework for testing security mechanisms for program-based attacks
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Combining static analysis and runtime monitoring to counter SQL-injection attacks
WODA '05 Proceedings of the third international workshop on Dynamic analysis
SecureC: Control-Flow Protection Against General Buffer Overflow Attack
COMPSAC '05 Proceedings of the 29th Annual International Computer Software and Applications Conference - Volume 01
Preventing format-string attacks via automatic and efficient dynamic checking
Proceedings of the 12th ACM conference on Computer and communications security
Enhancing Security Using Legality Assertions
WCRE '05 Proceedings of the 12th Working Conference on Reverse Engineering
Secure Coding in C and C++: Of Strings and Integers
IEEE Security and Privacy
Agile Security Testing of Web-Based Systems via HTTPUnit
ADC '05 Proceedings of the Agile Development Conference
Preventing SQL Injection Attacks in Stored Procedures
ASWEC '06 Proceedings of the Australian Software Engineering Conference
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A Practical Framework for Dynamically Immunizing Software Security Vulnerabilities
ARES '06 Proceedings of the First International Conference on Availability, Reliability and Security
Modular checking for buffer overflows in the large
Proceedings of the 28th international conference on Software engineering
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
On evolving buffer overflow attacks using genetic programming
Proceedings of the 8th annual conference on Genetic and evolutionary computation
Integrating Static and Dynamic Analysis for Detecting Vulnerabilities
COMPSAC '06 Proceedings of the 30th Annual International Computer Software and Applications Conference - Volume 01
Eliminating SQL Injection Attacks - A Transparent Defense Mechanism
WSE '06 Proceedings of the Eighth IEEE International Symposium on Web Site Evolution
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Static analysis of anomalies and security vulnerabilities in executable files
Proceedings of the 44th annual Southeast regional conference
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
Proceedings of the 2007 ACM symposium on Applied computing
AProSec: an Aspect for Programming Secure Web Applications
ARES '07 Proceedings of the The Second International Conference on Availability, Reliability and Security
Exterminator: automatically correcting memory errors with high probability
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Detecting format string vulnerabilities with type qualifiers
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Large-scale analysis of format string vulnerabilities in Debian Linux
Proceedings of the 2007 workshop on Programming languages and analysis for security
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Securing software by enforcing data-flow integrity
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Using Automated Fix Generation to Secure SQL Statements
SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems
BrowserShield: Vulnerability-driven filtering of dynamic HTML
ACM Transactions on the Web (TWEB)
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Automatic Patch Generation for Buffer Overflow Attacks
IAS '07 Proceedings of the Third International Symposium on Information Assurance and Security
Effect of static analysis tools on software security: preliminary investigation
Proceedings of the 2007 ACM workshop on Quality of protection
Multi-module vulnerability analysis of web-based applications
Proceedings of the 14th ACM conference on Computer and communications security
The Automatic Defense Mechanism for Malicious Injection Attack
CIT '07 Proceedings of the 7th IEEE International Conference on Computer and Information Technology
Securing web applications with static and dynamic information flow tracking
PEPM '08 Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation
Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks
PRDC '07 Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing
Detecting buffer overflow via automatic test input data generation
Computers and Operations Research
SQL-IDS: a specification-based approach for SQL-injection detection
Proceedings of the 2008 ACM symposium on Applied computing
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Testing for buffer overflows with length abstraction
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Leveraging User Interactions for In-Depth Testing of Web Applications
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
MUSIC: Mutation-based SQL Injection Vulnerability Checking
QSIC '08 Proceedings of the 2008 The Eighth International Conference on Quality Software
Mutation-Based Testing of Buffer Overflow Vulnerabilities
COMPSAC '08 Proceedings of the 2008 32nd Annual IEEE International Computer Software and Applications Conference
Marple: a demand-driven path-sensitive buffer overflow detector
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Mutation-Based Testing of Format String Bugs
HASE '08 Proceedings of the 2008 11th IEEE High Assurance Systems Engineering Symposium
Resolving JavaScript Vulnerabilities in the Browser Runtime
ISSRE '08 Proceedings of the 2008 19th International Symposium on Software Reliability Engineering
Automated Fix Generator for SQL Injection Attacks
ISSRE '08 Proceedings of the 2008 19th International Symposium on Software Reliability Engineering
Hybrid analysis of executables to detect security vulnerabilities: security vulnerabilities
Proceedings of the 2nd India software engineering conference
Enforcing code security in database web applications using libraries and object models
LCSD '07 Proceedings of the 2007 Symposium on Library-Centric Software Design
First-aid: surviving and preventing memory management bugs during production runs
Proceedings of the 4th ACM European conference on Computer systems
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
TAJ: effective taint analysis of web applications
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
An Approach for SQL Injection Vulnerability Detection
ITNG '09 Proceedings of the 2009 Sixth International Conference on Information Technology: New Generations
Automatic Testing of Program Security Vulnerabilities
COMPSAC '09 Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference - Volume 02
MUTEC: Mutation-based testing of Cross Site Scripting
IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
A hybrid analysis framework for detecting web application vulnerabilities
IWSESS '09 Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems
Foundations of Software Testing
Foundations of Software Testing
Classification of Static Analysis-Based Buffer Overflow Detectors
SSIRI-C '10 Proceedings of the 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement Companion
Monitoring Buffer Overflow Attacks: A Perennial Task
International Journal of Secure Software Engineering
Buffer overflow patching for C and C++ programs: rule-based approach
ACM SIGAPP Applied Computing Review
Security vulnerabilities and mitigation techniques of web applications
Proceedings of the 6th International Conference on Security of Information and Networks
Teaching Secure Coding Practices to STEM Students
Proceedings of the 2013 on InfoSecCD '13: Information Security Curriculum Development Conference
| Hi-index | 0.00 |
Programs are implemented in a variety of languages and contain serious vulnerabilities which might be exploited to cause security breaches. These vulnerabilities have been exploited in real life and caused damages to related stakeholders such as program users. As many security vulnerabilities belong to program code, many techniques have been applied to mitigate these vulnerabilities before program deployment. Unfortunately, there is no comprehensive comparative analysis of different vulnerability mitigation works. As a result, there exists an obscure mapping between the techniques, the addressed vulnerabilities, and the limitations of different approaches. This article attempts to address these issues. The work extensively compares and contrasts the existing program security vulnerability mitigation techniques, namely testing, static analysis, and hybrid analysis. We also discuss three other approaches employed to mitigate the most common program security vulnerabilities: secure programming, program transformation, and patching. The survey provides a comprehensive understanding of the current program security vulnerability mitigation approaches and challenges as well as their key characteristics and limitations. Moreover, our discussion highlights the open issues and future research directions in the area of program security vulnerability mitigation.