Do security tools work?

Prof. Adwait Nadkarni

William Mary

Home automation and mobile-IoT apps

A very simple example, is hacking the mobile app and the server, and changing the mode to home

Why do mobile app vulnerabilities prevail?

  • Possibility1: developers don't care about security
  • Possibility2: care, but don't know enough to build secure software
  • Possibility3: don't use vulnerability detection tools
  • Possibility4: misconfigure vulnerability detection tools

==Do security tools work?==

RQ1: Do security tools and techniques detect the vulnerabilities that they claim to detect?

RQ2: Do the tools detect vulnerabilities as developers expect them to?


ECB mode is considered not vulnerable until March'20 in OWASP

Mutation testing

How do they evaluate the detectors?

  • using mutation testing to insert vulnerable code into benign apps
  • and check where the tools can detect them