1 Interactive Sensitive Data Exposure Detection Through Static Analysis Md A. Obaida 1 , Eric Nelson 1 , Rene V. Ee 1 , Israt Jahan 2 , Sayeed Z. Sajal 3 1. Dept. of Electrical and Computer Engineering Texas A&M University College Station, TX, USA tareqobaida@tamu.edu 2. Dept. of Computer Science and Operations Research North Dakota State University Fargo, ND, USA i.jahan@ndsu.edu 3. Dept. of Math and Computer Scinece Minot State University Minot, ND, USA sayeed.sajal@minotstateu.edu Abstract—Data security has become an increasingly important topic as information stored and transmitted in electronic form has become the preferred method. In order to protect this information, developers need to follow, at minimum, some basic guidelines to secure this data from malicious attackers. However, security often takes a backseat while developing software and is either not implemented at all or is patched into the software at the end. Both are undesirable as it leave the software vulnerable to sensitive data leaks and lowers the overall quality of the application. These issues can be introduced by developers of any skill level. Existing static or dynamic analysis tool does not provide the functionality of interaction with user, which we believe can be an extremely valuable feature. We present Secure Sensitive Data (SSD) Eclipse IDE plug-in that can help bridge the gap in sensitive data leaks by aiding software developers interactively by pointing out issues in real-time and enforcing certain standards to protect sensitive data. Our SSD plug- in enforces five best practices and standards that should at minimum keep data encrypted and proper handling of sensitive data. By continuously involving and reminding the developers of the security implications, SSD helps to mitigate security flaws in future software applications. I. I NTRODUCTION Having data security vulnerabilities is not uncommon in programs written by most experienced programmers. This is not because that the programmer does not know about the secure programming practice, this is because sometimes he just forgets or skips unintentionally. This situation occurs because programmers have to deal with other pressures such as deadline, performance, security, requirement changes etc. Security features checking is often done by 3rd party security specialist companies. But we believe only the programmer knows best about his program. It is much more easier for programmer to fix security bugs rather than 3rd party security specialist. It is much more convenient for programmer if he can get warning about potential security vulnerabilities at the development time. It also provides the opportunity to detect the flaws at the earliest time and programmer can fix the issue much easily. We present Secure Sensitive Data (SSD), which is an Eclipse IDE plug-in that provides interactive security suggestions to Java developers in real-time. This is accomplished by performing static analysis using the Eclipse API to traverse the application to search and check against the sensitive data vulnerabilities we chose to enforce. The five main checks we implemented involve forcing the developer to encrypt data using up-to-date encryption standards, pro- mote proper handling of data by not allowing unnecessary copying of sensitive data, and proper transmission of data. The SSD plug-in is an extension of the Application Security plug-in for Integrated Development Environment (ASIDE) [1] project being developed at the University of North Carolina at Charlotte. The ASIDE project is also an Eclipse IDE plug- in that performs static analysis. However, the SSD plug-in is concerned with sensitive data leakage, whereas ASIDE focuses mainly on vulnerabilities of incoming data, such as SQL injection and Cross Site Scripting. Looking into the ASIDE project allowed us to become familiar with more work at the UNC Charlotte, particular the Open Web Application Security (OWASP) for web application security. The OWASP project’s “Application Security Verification Standard” (2014) [2] lists eight rules and standards to help ensure web applications pro- mote security. Using this list, we generated our own list of five rules that we wished to implement in our SSD plugin.Another source of inspiration was “Finding Security Vulnerabilities in Java Applications with Static Analysis” [3]. This paper helped understand the underlying principle of static analysis of Java applications in Eclipse. Even though the vulnerabilities and platform this paper targets don’t coincide with our SSD plugin, the analysis of Java source code is similar to what SSD implements as far as static analysis using the Abstract Syntax   ,((( 