Volume 18, Number 2
Classification of Source Code Vulnerabilities and Analysis of Detection Methods: Evaluation, Comparison, and Proposed Approaches
Authors
Nin Ho Le Viet 1,2 , Chieu Ta Quang 2 , Cuong Dang Van 3 and Tuan Nguyen Kim 3 , 1Duy Tan University, Vietnam, 2Thuyloi University, Vietnam, 3Phenikaa University, Vietnam
Abstract
Source code vulnerabilities are an important cause leading to many information security incidents in modern software systems. Due to the diversity of causes and technical characteristics, source code vulnerability detection is difficult to be effectively addressed by a single method. This paper focuses on classifying, evaluating, and comparing source code vulnerability detection methods in order to provide a systematic view of this problem. The first contribution of the paper is to develop a classification approach for source code vulnerabilities based on causes and technical characteristics, thereby clarifying the nature of each vulnerability group. Next, the paper analyzes and evaluates common detection method categories, including static analysis, dynamic analysis, and machine learning and deep learning based methods, with consideration of the application scope and characteristic limitations of each approach. On that basis, the paper conducts an overall comparison among the methods to indicate that there does not exist a single technique that can effectively detect every type of source code vulnerability. Finally, the paper proposes a combined approach to leverage the advantages of different methods in source code vulnerability detection. The results and analyses in the paper are expected to support researchers and software engineers in evaluating, selecting, and orienting the development of vulnerability detection solutions in the future.
Keywords
Source code vulnerabilities, Software security, Vulnerability detection, Static and dynamic analysis, Machine learning