Identification and Removal of Software Security Vulnerabilities using Source Code Analysis: A Case Study on a Java File Writer Program with Password Validation Features

We illustrate the use of source code analysis to identify and remove the following software security vulnerabilities: (i) Hardcoded Password, (ii) Empty Password Initialization, (iii) Denial of Service, (iv) System Information Leak, (v) Unreleased Resource and (vi) Path Manipulation. We propose one or more solution approaches to remove or at least mitigate each of these vulnerabilities that have the potential to significantly impact the security of software programs if they are left unattended. In this context, we conduct an exhaustive source code analysis of a file writer program, developed in Java, embedded with features for password validation in order to illustrate the Hardcoded password and Empty password initialization vulnerabilities. We also illustrate the occurrence of one or more new vulnerabilities as a result of incorporating a patch (code) to remove an existing vulnerability. Our solution approaches to remove the above vulnerabilities can also be adapted to other high-level programming languages like C/C++. We use the Fortify Source Code Analyzer (SCA) software to conduct the automated source code analysis of the file writer program to test for software security, including both identification and removal of the vulnerabilities. Index Terms — Software Security, Vulnerability, Source Code Analysis, Password Validation, Information Leak, Unreleased Resource, Path Manipulation