Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital

被引：25

作者：

Oyetoyan, Tosin Daniel ^{[1
]}

Milosheska, Bisera ^{[2
]}

Grini, Mari ^{[2
]}

Cruzes, Daniela Soares ^{[1
]}

机构：

[1] SINTEF Digital, Dept Software Engn Safety & Secur, Trondheim, Norway

[2] Telenor Digital, Oslo, Norway

来源：

AGILE PROCESSES IN SOFTWARE ENGINEERING AND EXTREME PROGRAMMING, XP 2018 | 2018年 / 314卷

关键词：

Security defects; Agile; Static analysis; Static application security testing; Software security;

D O I：

10.1007/978-3-319-91602-6_6

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

It is claimed that integrating agile and security in practice is challenging. There is the notion that security is a heavy process, requires expertise, and consumes developers' time. These contrast with the agile vision. Regardless of these challenges, it is important for organizations to address security within their agile processes since critical assets must be protected against attacks. One way is to integrate tools that could help to identify security weaknesses during implementation and suggest methods to refactor them. We used quantitative and qualitative approaches to investigate the efficiency of the tools and what they mean to the actual users (i.e. developers) at Telenor Digital. Our findings, although not surprising, show that several barriers exist both in terms of tool's performance and developers' perceptions. We suggest practical ways for improvement.

引用

页码：86 / 103

页数：18

共 24 条

[1] One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques [J].

Austin, Andrew ;

Williams, Laurie .

2011 FIFTH INTERNATIONAL SYMPOSIUM ON EMPIRICAL SOFTWARE ENGINEERING AND MEASUREMENT (ESEM 2011), 2011, :97-106

[2] Improving software security with static automated code analysis in an industry setting [J].

Baca, Dejan ;

Carlsson, Bengt ;

Petersen, Kai ;

Lundberg, Lars .

SOFTWARE-PRACTICE & EXPERIENCE, 2013, 43 (03) :259-279

[3] Extending the Agile Development Process to Develop Acceptably Secure Software [J].

ben Othmane, Lotfi ;

Angin, Pelin ;

Weffers, Harold ;

Bhargava, Bharat .

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2014, 11 (06) :497-509

[4]

Beznosov K., 2004, NEW SECURITY PARADIG, P47

[5]

Center for Assured Software, CAS STAT AN TOOL STU

[6]

Center for Assured Software, JUL TEST SUIT V1 2 C

[7]

Charest T, 2016, PROCEEDINGS OF THE 11TH INTERNATIONAL CONFERENCE ON CYBER WARFARE AND SECURITY (ICCWS 2016), P431

[8] Static analysis for security [J].

Chess, B ;

McGraw, G .

IEEE SECURITY & PRIVACY, 2004, 2 (06) :76-79

[9] How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams [J].

Cruzes, Daniela Soares ;

Felderer, Michael ;

Oyetoyan, Tosin Daniel ;

Gander, Matthias ;

Pekaric, Irdin .

AGILE PROCESSES IN SOFTWARE ENGINEERING AND EXTREME PROGRAMMING (XP 2017): 18TH INTERNATIONAL CONFERENCE, XP 2017, 2017, 283 :201-216

[10] Static analysis of source code security: Assessment of tools against SAMATE tests [J].

Diaz, Gabriel ;

Ramon Bermejo, Juan .

INFORMATION AND SOFTWARE TECHNOLOGY, 2013, 55 (08) :1462-1476

← 1 2 3 →