Evaluating the cost reduction of static code analysis for software security

PLAS'08: Proceedings of the ACM SIGPLAN 3rd Workshop on Programming Languages and Analysis for Security

Volumn , Issue , 2008, Pages 79-88

  Baca, Dejan ^a   Carlsson, Bengt ^a   Lundberg, Lars ^a  

^a BLEKINGE INSTITUTE OF TECHNOLOGY   (Sweden)

Author keywords

Code quality improvement; Cost reduction; Covertly prevent; Early fault detection; False positive; Security; Source code; Static code analysis; Trouble report

Indexed keywords

CODES (SYMBOLS); COMPUTER SOFTWARE; COMPUTER SOFTWARE SELECTION AND EVALUATION; COMPUTERS; COST REDUCTION; FAULT DETECTION; LINGUISTICS; STATIC ANALYSIS; TECHNICAL PRESENTATIONS;

CODE QUALITY IMPROVEMENT; COVERTLY PREVENT; EARLY FAULT DETECTION; FALSE POSITIVE; SECURITY; SOURCE CODE; STATIC CODE ANALYSIS; TROUBLE REPORT;

COST BENEFIT ANALYSIS;

EID: 57349136732     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1375696.1375707     Document Type: Conference Paper

References (17)

1. J. Viega and G. McGraw, Building Secure Software: How to Avoid Security Problems in the Right Way. Addison Wesley, 2002.
2. A. Pretschner, W. Prenninger, S.Wagner, C. K̈uhnel, M. Baumgartner, B. Sostawa, R. Z̈olch, and T, Stauner. "One Evaluation of Model-Based Testing and its Automation." In Proc. 27th International Conference on Software Engineering (ICSE'05), 2005.
3. S. Lipner, The Trustworthy Computing Security Development Lifecycle, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), p.2-13, 2004
4. S.C. Johnson., "Lint, a C program checker" Computer Science Tech. report 65, Bell Laboratories, 1978.
5. B. Chess and G. McGraw. Static Analysis for Security. IEEE Security and Privacy, 2(6), 2004.
6. D. Evans and D. Larochelle , "Improving security using extensible lightweight static analysis," IEEE Softw., vol. 19 (1) 42-51, 2002.
7. J. Sehuh and D. Stampley, CODE SCANNERS: FALSE Sense of Security?, Network Computing, 18, 7, ABI/INFORM Globalpg. 45, 2007
8. B. Carlsson., and D. Baca, "Software Security Analysis - Managing Source Code Audit", 31st EUROMICRO Conference, 2005.
9. V. Okun, W. F. Guthrie, R. Gaucher, P. E. Black, "Effect of static analysis tools on software security: preliminary investigation", Proceedings of Quality of Protection, p.1-5, 2007
10. Tsipenyui, K., B. Chess, and G. McGraw, "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors," presented at Automated Software Engineering, Long Beach, CA, 2005.
11. C.E. Landwehr, "Formal Models for Computer Security," ACM Computing Surveys 13(3), 247-278 1981.
12. S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2002.
13. Coverity Prevent manual.
14. L. Damm, "Faults-Slip-Through A Concept of Measuring the Efficiency of the Test Process", Journal of Software Process: Improving and Practice, Wiley InterScience, 11(1), pp. 47-59, 2006.
15. Boehm, B. and Basili, V. Software Defect Reduction Top 10 List, IEEE Computer, Vol. 34, No. 1, January 2001.
16. Briand, L.C., Emam, K. El, Freimut, B.G., Laitenberger, O., A Comprehensive Evaluation of Capture-Recapture Models for Estimating Software Defect content. IEEE Transactions on Software Engineering, 26:6, 518-540, 2000.
17. Boehm B. 1983. Software Engineering Economics. PrenticeHall: Englewood Cliffs, NJ, USA.