Automatically fixing security vulnerabilities in Java code

Abstract

Most kinds of security vulnerabilities in web applications can be fixed by adding appropriate sanitization methods. Finding the correct place for the sanitizers can be difficult due to complicated data and control flow. Fixing SQL injection vulnerabilities may require more complex transformations, such as replacing uses of Statement by PreparedStatement, which could include some code motion. We have developed algorithms to place sanitizers correctly, as well as to transform Statement to PreparedStatement. These have been implemented as "quick fixes" in an Eclipse plugin that works together with a commercial tool that discovers security vulnerabilities in web applications.