Enhancing CryptoGuards Deployability for Continuous Software Security Scanning
This work addresses security vulnerabilities in software development for developers, but it is incremental as it builds on an existing tool.
The research tackled the problem of overlooked security steps in Agile development by enhancing CryptoGuard, a static code analyzer for Java, to improve its deployability, accessibility, and usability through extensions like scanning source and compiled code, live documentation, and cloud/local tool-suite support.
The increasing development speed via Agile may introduce overlooked security steps in the process, with an example being the Iowa Caucus application. Verifying the protection of confidential information such as social security numbers requires security at all levels, providing protection through any connected applications. CryptoGuard is a static code analyzer for Java. This program verifies that developers do not leave vulnerabilities in their applications. The program aids the developer by identifying cryptographic misuses such as hard-coded keys, weak program hashes, and using insecure protocols. In my Master's thesis work, I made several important contributions to improving the deployability, accessibility, and usability of CryptoGuard. I extended CryptoGuard to scan source and compiled code, created live documentation, and supported a dual cloud and local tool-suite. I also created build tool plugins and a program aid for CryptoGuard. In addition, I also analyzed several Java-related surveys encompassing more than 50,000 developers and reported interesting current practices of real-world software developers.