Avoiding security vulnerabilities in industrial software

 |  DigitalizationResearchEconomy & BusinessPress releaseSecure Software Engineering / Heinz Nixdorf Institut

Researchers at the Heinz Nixdorf Institute in Paderborn develop specifiable analysis tool

We encounter software in many different places in our digitalised everyday lives, from chatting with friends and family to online banking. To simplify software development, programmers often use so-called "Application Programming Interfaces" (API) - codes that contain commands for general functions or enable interactions with an external system, for example. The use of APIs is helpful when there are standards to be adhered to or complicated programming tasks. However, incorrect use can also lead to security vulnerabilities and enormous costs. In order to recognise potential misuse at an early stage, scientists at the Heinz Nixdorf Institute at Paderborn University are working with TRUMPF SE + Co KG to develop an appropriate analysis tool. The "API_ASSIST - Specifiable automatic detection of API misuse in CI pipelines" project of the "Secure Software Engineering" group is being funded with 100,000 euros as part of the Software Campus programme of the Federal Ministry of Education and Research (BMBF). The project will run for 19 months.

From a general to a specifically customisable analysis tool

"The incorrect use of APIs often leads to security vulnerabilities, which can have catastrophic consequences in the financial sector, for example," says project manager Michael Schlichtig from Paderborn's Department of Computer Science. In the Collaborative Research Centre SFB 1119 "CROSSING", the research assistant has already developed the "CogniCrypt" programme, which detects the incorrect use of cryptographic APIs. As part of the new project, the static analysis tool is to be adapted so that programmers can use it for their individual areas of application. "Our goal is a precise and, above all, easily adaptable analysis programme for developers in the industry. The tool should be integrated into CI pipelines and be able to cover any APIs of the Java programming language," he explains. When designing the tool, the focus is not only on the simple adaptability of the analysis to the application context, but also on comprehensible feedback for developers. This is intended to help them recognise where the programming error or API misuse is.

From theory to practice

The basis for the project idea came from Schlichtig's "FUM" framework, which classifies API usage restrictions and the resulting misuses. This classification can be used to better categorise and explain API misuse. "By working together with industrial companies, we can now achieve practical results that can be used in real programming situations at medium-sized companies," summarises Schlichtig.

This text has been translated automatically.


business-card image

Michael Schlichtig

Secure Software Engineering / Heinz Nixdorf Institut

Write email +49 5251 60-6580