bth.se
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Static Code Analysis to Detect Software Security Vulnerabilities: Does Experience Matter?
ORCID iD: 0000-0002-1532-8223
Responsible organisation
2009 (English)Conference paper, Published paper (Refereed) Published
Abstract [en]

Code reviews with static analysis tools are today recommended by several security development processes. Developers are expected to use the tools' output to detect the security threats they themselves have introduced in the source code. This approach assumes that all developers can correctly identify a warning from a static analysis tool (SAT) as a security threat that needs to be corrected. We have conducted an industry experiment with a state of the art static analysis tool and real vulnerabilities. We have found that average developers do not correctly identify the security warnings and only developers with specific experiences are better than chance in detecting the security vulnerabilities. Specific SAT experience more than doubled the number of correct answers and a combination of security experience and SAT experience almost tripled the number of correct security answers.
Place, publisher, year, edition, pages
Fukuoka, Japan: IEEE Computer Society Press , 2009.
Keywords [en]
security, vulnerabilities, static code analysis, coverity, prevent, industry experiment, static analysis, experience, software security
National Category
Software Engineering Computer Sciences
Identifiers
URN: urn:nbn:se:bth-8044DOI: 10.1109/ARES.2009.163Local ID: oai:bth.se:forskinfo8356A6664A406D77C12575E100404D07OAI: oai:DiVA.org:bth-8044DiVA, id: diva2:835728
Conference
International Conference on Availability, Reliability and Security ARES
Available from: 2012-09-18 Created: 2009-06-26 Last updated: 2021-06-11Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full text

Authority records

Petersen, KaiCarlsson, BengtLundberg, Lars

Search in DiVA

By author/editor
Petersen, KaiCarlsson, BengtLundberg, Lars
Software EngineeringComputer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 437 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.40.0
|
WCAG
|
BTH Library
|
Publish/Register
|
How to publish/register
|
Diva portal
|
SwePub
|
Uppsök