New US system finds security flaws in popular web apps

US – US researchers have created a new system that can quickly comb through tens of thousands of lines of application code to find security flaws in popular web-based apps, reports The Economic Times (India).

The system, developed at the Massachusetts Institute of Technology (MIT), uses a technique called static analysis, which seeks to describe, in a very general way, how data flows through a program.

“The classic example of this is if you wanted to do an abstract analysis of a program that manipulates integers, you might divide the integers into the positive integers, the negative integers, and zero,” said Daniel Jackson, an MIT professor and the co-author of the study.

The static analysis would then evaluate every operation in the program according to its effect on integers’ signs. Adding two positives yields a positive; adding two negatives yields a negative; multiplying two negatives yields a positive; and so on.

“The problem with this is that it can’t be completely accurate, because you lose information,” Jackson said.

“If you add a positive and a negative integer, you don’t know whether the answer will be positive, negative, or zero. Most work on static analysis is focused on trying to make the analysis more scalable and accurate to overcome those sorts of problems,” he added.