The goal of this thesis was to evaluate the security of business applications. Further, a conservative static analysis should be developed and used to identify all possible paths from library usages to the application code.

Previous work on crypto misuses focused on the security of Android applications while more complex business applications were out of focus. In addition, the impact of libraries on the analysis results are rarely discussed.

This thesis first analyzed the reports generated by CogniCrypt_SAST for three business applications. Based upon these results, we developed a static analysis which can resolve reflective calls conservative using OPAL. With the help of this analysis, we filtered out reports for dead code.
For the evaluation setup, we used 46 business applications for which CogniCrypt identified at least one misuse for 23 projects. After applying our analysis built with OPAL on the reports, we reduced the potential vulnerable projects down to 18. As a last step, we integrated the results of our manual analysis and ended up with 15 projects with potential crypto vulnerabilitites.

Publications

• Jonathan Speth: How secure are business applications? An in-depth study on the security of business applications..