Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Improving software security with static automated code analysis in an industry setting
Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation.
Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation.
Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation.
Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation.
2013 (Engelska)Ingår i: Software, practice & experience, ISSN 0038-0644, E-ISSN 1097-024X, Vol. 43, nr 3, s. 259-279Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Software security can be improved by identifying and correcting vulnerabilities. In order to reduce the cost of rework, vulnerabilities should be detected as early and efficiently as possible. Static automated code analysis is an approach for early detection. So far, only few empirical studies have been conducted in an industrial context to evaluate static automated code analysis. A case study was conducted to evaluate static code analysis in industry focusing on defect detection capability, deployment, and usage of static automated code analysis with a focus on software security. We identified that the tool was capable of detecting memory related vulnerabilities, but few vulnerabilities of other types. The deployment of the tool played an important role in its success as an early vulnerability detector, but also the developers perception of the tools merit. Classifying the warnings from the tool was harder for the developers than to correct them. The correction of false positives in some cases created new vulnerabilities in previously safe code. With regard to defect detection ability, we conclude that static code analysis is able to identify vulnerabilities in different categories. In terms of deployment, we conclude that the tool should be integrated with bug reporting systems, and developers need to share the responsibility for classifying and reporting warnings. With regard to tool usage by developers, we propose to use multiple persons (at least two) in classifying a warning. The same goes for making the decision of how to act based on the warning.

Ort, förlag, år, upplaga, sidor
Wiley , 2013. Vol. 43, nr 3, s. 259-279
Nyckelord [en]
Software security, Static analysis, Static code analysis, Vulnerabilities
Nationell ämneskategori
Programvaruteknik
Identifikatorer
URN: urn:nbn:se:bth-7006DOI: 10.1002/spe.2109ISI: 000314926900001Lokalt ID: oai:bth.se:forskinfo3B2CC72BC40A4F02C1257AC900348970OAI: oai:DiVA.org:bth-7006DiVA, id: diva2:834575
Tillgänglig från: 2013-03-15 Skapad: 2012-12-03 Senast uppdaterad: 2018-01-11Bibliografiskt granskad

Open Access i DiVA

Fulltext saknas i DiVA

Övriga länkar

Förlagets fulltext

Personposter BETA

Baca, DejanCarlsson, BengtPetersen, KaiLundberg, Lars

Sök vidare i DiVA

Av författaren/redaktören
Baca, DejanCarlsson, BengtPetersen, KaiLundberg, Lars
Av organisationen
Sektionen för datavetenskap och kommunikation
I samma tidskrift
Software, practice & experience
Programvaruteknik

Sök vidare utanför DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetricpoäng

doi
urn-nbn
Totalt: 278 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf