On the adoption of static analysis for software security assessment-A case study of an open-source e-government project

被引:13
作者
Anh Nguyen-Duc [1 ]
Manh Viet Do [2 ]
Quan Luong Hong [2 ]
Kiem Nguyen Khac [3 ]
Anh Nguyen Quang [4 ]
机构
[1] Univ South Eastern Norway, Notodden, Norway
[2] MQ ICT SOLUT, Viet Nam, Hanoi, Vietnam
[3] Hanoi Univ Sci & Technol, Hanoi, Vietnam
[4] Univ Transport & Commun, Hanoi, Vietnam
关键词
Security testing; Software vulnerability; SAST; Case studies; Experiments; Combined SAST tools; empirical study; e-government;
D O I
10.1016/j.cose.2021.1024700167
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development for security assessment poses various technical and managerial challenges. In this work, we reported results from a case study of adopting SAST as a part of a human-driven security assessment process in an open-source e-govemment project. We described how SASTs are selected, evaluated, and combined into a novel approach and adopted by security experts for software security assessment. The approach was preliminarily evaluated using semi structured interviews. Our results show that while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tools. The combined approach has the potential to aid the security assessment process for open-source software. (c) 2021 Published by Elsevier Ltd.
引用
收藏
页数:14
相关论文
共 29 条
  • [1] An empirical study of security warnings from static application security testing tools
    Aloraini, Bushra
    Nagappan, Meiyappan
    German, Daniel M.
    Hayashi, Shinpei
    Higo, Yoshiki
    [J]. JOURNAL OF SYSTEMS AND SOFTWARE, 2019, 158
  • [2] Identifying Security Risks of Digital Transformation - An Engineering Perspective
    Anh Nguyen Duc
    Chirumamilla, Aparna
    [J]. DIGITAL TRANSFORMATION FOR A SUSTAINABLE SOCIETY IN THE 21ST CENTURY, 2019, 11701 : 677 - 688
  • [3] [Anonymous], 2007, SPEC PUBL, P500
  • [4] Improving software security with static automated code analysis in an industry setting
    Baca, Dejan
    Carlsson, Bengt
    Petersen, Kai
    Lundberg, Lars
    [J]. SOFTWARE-PRACTICE & EXPERIENCE, 2013, 43 (03) : 259 - 279
  • [5] Trust and risk in e-government adoption
    Belanger, France
    Carter, Lemuria
    [J]. JOURNAL OF STRATEGIC INFORMATION SYSTEMS, 2008, 17 (02) : 165 - 176
  • [6] Moving Fast with Software Verification
    Calcagno, Cristiano
    Distefano, Dino
    Dubreil, Jeremy
    Gabi, Dominik
    Hooimeijer, Pieter
    Luca, Martino
    O'Hearn, Peter
    Papakonstantinou, Irene
    Purbrick, Jim
    Rodriguez, Dulma
    [J]. NASA FORMAL METHODS (NFM 2015), 2015, 9058 : 3 - 11
  • [7] Carlos E, 2012, E GOVT, V11
  • [8] Charest T, 2016, PROCEEDINGS OF THE 11TH INTERNATIONAL CONFERENCE ON CYBER WARFARE AND SECURITY (ICCWS 2016), P431
  • [9] Static analysis for security
    Chess, B
    McGraw, G
    [J]. IEEE SECURITY & PRIVACY, 2004, 2 (06) : 76 - 79
  • [10] Churchill Dulma, FACEBOOK CODE BLOG P