Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?

被引：22

作者：

Baca, Dejan ^{[1
,2
]}

Petersen, Kai ^{[1
,2
]}

Carlsson, Bengt ^{[2
]}

Lundberg, Lars ^{[2
]}

机构：

[1] Ericsson AB, Box 518, SE-37123 Karlskrona, Sweden

[2] Blekinge Inst Technol, Sch Engn, Karlskrona, Sweden

来源：

2009 INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY, AND SECURITY (ARES), VOLS 1 AND 2 | 2009年

关键词：

D O I：

10.1109/ARES.2009.163

中图分类号：

TP301 [理论、方法];

学科分类号：

081202 ;

摘要：

Code reviews with static analysis tools are today recommended by several security development processes. Developers are expected to use the tools' output to detect the security threats they themselves have introduced in the source code. This approach assumes that all developers can correctly identify a warning from a static analysis tool (SAT) as a security threat that needs to be corrected. We have conducted an industry experiment with a state of the art static analysis tool and real vulnerabilities. We have found that average developers do not correctly identify the security warnings and only developers with specific experiences are better than chance in detecting the security vulnerabilities. Specific SAT experience more than doubled the number of correct answers and a combination of security experience and SAT experience almost tripled the number of correct security answers.

引用

页码：804 / +

页数：2

共 50 条

[1] On the capability of static code analysis to detect security vulnerabilities
Goseva-Popstojanova, Katerina
Perhinschi, Andrei
[J]. INFORMATION AND SOFTWARE TECHNOLOGY, 2015, 68 : 18 - 33
[2] Scalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions
Gauthier, Francois
Keynes, Nathan
Allen, Nicholas
Corney, Diane
Krishnan, Padmanabhan
[J]. 2018 IEEE CYBERSECURITY DEVELOPMENT CONFERENCE (SECDEV 2018), 2018, : 134 - 134
[3] A survey of static code analysis methods for security vulnerabilities detection
Kulenovic, Melina
Donko, Dzenana
[J]. 2014 37TH INTERNATIONAL CONVENTION ON INFORMATION AND COMMUNICATION TECHNOLOGY, ELECTRONICS AND MICROELECTRONICS (MIPRO), 2014, : 1381 - 1386
[4] Machine Learning to Combine Static Analysis Alerts with Software Metrics to Detect Security Vulnerabilities: An Empirical Study
Pereira, Jose D'Abruzzo
Campos, Joao R.
Vieira, Marco
[J]. 2021 17TH EUROPEAN DEPENDABLE COMPUTING CONFERENCE (EDCC 2021), 2021, : 1 - 8
[5] The Use of NLP Techniques in Static Code Analysis to Detect Weaknesses and Vulnerabilities
Mokhov, Serguei A.
Paquet, Joey
Debbabi, Mourad
[J]. ADVANCES IN ARTIFICIAL INTELLIGENCE, CANADIAN AI 2014, 2014, 8436 : 326 - 332
[6] A survey of static analysis methods for identifying security vulnerabilities in software systems
Pistoia, M.
Chandra, S.
Fink, S. J.
Yahav, E.
[J]. IBM SYSTEMS JOURNAL, 2007, 46 (02) : 265 - 288
[7] A Synergy between Static and Dynamic Analysis for the Detection of Software Security Vulnerabilities
Hanna, Aiman
Ling, Hai Zhou
Yang, XiaoChun
Debbabi, Mourad
[J]. ON THE MOVE TO MEANINGFUL INTERNET SYSTEMS: OTM 2009, PT 2, 2009, 5871 : 815 - 832
[8] Static Code Analysis for Software Security Verification: Problems and Approaches
Zhioua, Zeineb
Short, Stuart
Roudier, Yves
[J]. 2014 38TH ANNUAL IEEE INTERNATIONAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE WORKSHOPS (COMPSACW 2014), 2014, : 102 - 109
[9] Evaluating the Cost Reduction of Static Code Analysis for Software Security
Baca, Dejan
Carlsson, Bengt
Lundberg, Lars
[J]. PLAS'08: PROCEEDINGS OF THE ACM SIGPLAN THIRD WORKSHOP ON PROGRAMMING LANGUAGES AND ANALYSIS FOR SECURITY, 2008, : 79 - 88
[10] Finding an Optimal Set of Static Analyzers To Detect Software Vulnerabilities
He, Jiaqi
MacQueen, Revan
Bombardieri, Natalie
Ali, Karim
Wright, James R.
Cifuentes, Cristina
[J]. 2023 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE MAINTENANCE AND EVOLUTION, ICSME, 2023, : 463 - 473

← 1 2 3 4 5 →