How well could have existing static vulnera-bility detection tools prevented publicly re-ported vulnerabilities in iOS open source packages?

Abstract

Preventing vulnerabilities is an ever present and high risk issue in software development that can cause a lot of problems if vulnerabilities are not detected. To prevent vulnerabilities as much as possible many different techniques and approaches have been developed and one of those is vulnerability detection tools. Many such tools have been created but it is unclear how effective the approach is at preventing real world vulnerabilities. In this thesis testing was carried out on publicly reported vulnerabilities in iOS open source packages with the aim of finding out how many of these vulnerabilities could have been prevented by using these tools. Multiple types of security testing tools exist, such as static application security testing (SAST), dynamic security testing (DAST), manual testing and other hybrid approaches. In this thesis SAST tools are used due to their relative ease of use. 5 SAST tools were tested on 81 publicly reported vulnerabilities in 23 packages with 14 out of the 81 vulnerable code segments being flagged by at least one tool. However due to the way these vulnerabilities were reported and the prevalence of false positives it seems that these SAST tools are not good at pinpointing existing vulnerabilities. Instead they help prevent vulnerabilities by directing the developers to write better quality code and notifying them of functions and approaches that are difficult to implement safely so that they know to take extra care or find safer alternatives.