Code review scope for integrity breaches by insider

Date

2017-05

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Integrity security is a key element of secure applications. To ensure that application has integrity security, the process to follow is to review the source code that is being developed by the software engineers. The code review process is a tedious and time consuming process, the complexity of which is directly dependent on the size of the application being developed. Due to the nature of the code review process, many times the reviews may not be conducted as thoroughly as required. There is also an aspect of the skill level of the reviewer that may be inadequate for the level of expertise required to review and provide feedback or corrections for a secure application. There is a need to identify the scope of mandatory code review, which are parts of the source code that should absolutely be manually scrutinized and reviewed for ensuring that the application satisfies the integrity security requirements. Insider malicious attacks are carried out by insider software engineers either for personal gains or to cause damage to their employers. One way to cause damage is to write malicious source code that causes either immediate damage or time lapse damage. There is a need to address insider attacks that are caused by malicious code. This dissertation introduces an approach that allows us to determine the scope of code review for secure applications, the integrity of which can be compromised by an insider with malicious intent. The approach identifies suspicious codes that might be contaminated by an insider in object-oriented programs so that it draws the reviewer’s attention to these codes. The goal of the proposed approach is to mitigate the code review for the integrity security of a program by providing the scope of code review instead of reviewing the whole program for an application. The integrity breach conditions (IBCs) are specified using the concepts of coupling in a program and the conditions are used to find security spots that might contain malicious codes. IBCs are specified using Object Constraint Language (OCL) with a meta-model for Java. A Code Analysis for Integrity Security (CAIS) tool is developed and provided to validate the approach proposed in this dissertation. The tool can be used to verify object oriented secure applications written in the Java programming language.

Description

Keywords

Code review, Integrity, Insider attack, Coupling, Integrity breach condition.

Citation